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(54) DATA PROVIDING SYSTEM, DEVICE, AND METHOD 



(57) A content provider 101 distributes a secure 
container 1 04 storing content data encrypted using con- 
tent key data, content key data encrypted using distri- 
bution key data, and encrypted usage control policy data 
indicating the handling of the content data to a SAM 



105-, of a user home network 103 etc. The SAM 105^ 
etc. decrypts the content data and usage control policy 
data stored in the secure container 1 04 and determines 
the purchase mode and usage mode and other handling 
of the content data based on said decrypted usage con- 
trol policy data. 
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Description 

TECHNICAL FIELD 

[0001] The present invention relates to a data provid- 
ing system and a data providing apparatus and methods 
of the same for providing content data and a manage- 
ment apparatus and a data processing apparatus used 
in the same. 

BACKGROUND ART 

[0002] There is a data providing system for distribut- 
ing encrypted content data to data processing appara- 
tuses of users concluding a predetermined contract and 
comprising the related data processing apparatuses de- 
crypt, reproduce, and store the content data. 
[0003] As one of such data providing systems, there 
is a conventional EMD (electronic music distribution) 
system for distributing music data. 
[0004] Figure 100 is a view of the configuration of a 
conventional ElVID system 700. 

[0005] In the EMD system 700 shown in Fig. 1 00, con- 
tent providers 701a and 701b encrypt content data 
704a, 704b, and 704c and copyright information 705a, 
705b, and 705c by session key data obtained after mu- 
tual authentication andsupply them to aservice provider 
710 on-line or off-line. Here, the copyright information 
705a, 705b, and 705c include for example SCMS (serial 
copy IVIanagement system) information, electronic wa- 
termark information requesting burying in content data, 
and information concerning the copyright requesting 
burying in a transmission protocol of the service provider 
710. 

[0006] The service provider 71 0 decrypts the received 
content data 704a, 704b, and 704c and copyright infor- 
mation 705a, 705b, and 705c by using the session key 
data. 

[0007] Then, the service provider 71 0 buries the cop- 
yright information 705a, 705b, and 705c in the content 
data 704a, 704b, and 704c decrypted or received off- 
line to generate content data 707a, 707b, and 707c. At 
this time, the service provider 710 changes a predeter- 
mined frequency domain of for example the electronic 
watermark information in the copyright information 
705a, 705b, and 705c and buries it in the content data 
704a, 704b, and 704c and buries the SCMS information 
in a network protocol used when transmitting the related 
content data to the user. 

[0008] Further, the service provider 71 0 encrypts the 
content data 707a, 707b, and 707c by using content key 
data Kca, Kcb, and Kcc read from a key database 706. 
Thereafter, the service provider 710 encrypts a secure 
container 722 with the encrypted content data 707a, 
707b, and 707c stored therein by the session key data 
obtained after the mutual authentication and transmits 
the same to a CA (conditional access) module 711 ex- 
isting in terminal equipment 709 of the user. 



[0009] The CA module 711 decrypts the secure con- 
tainer 722 by using the session key data. Further, the 
CA module 71 1 receives the content key data Kca, Kcb, 
and Kcc from the key database 706 of the service pro- 

5 vider 710 by using an electronic settlement and CA or 
other charging function and decrypts them by using the 
session key data. Due to this, in the terminal equipment 
709, it becomes possible to decrypt the content data 
707a, 707b, and 707c by using the content key data Kca, 

10 Kcb, and Kcc. 

[0010] At this time, the CA module 711 performs 
charge processing in units of content, generates charg- 
ing information 721 in accordance with the result of this, 
encrypts this by the session key data, and then transmits 

15 the same to a right clearing module 720 of the service 
provider 710. 

[0011] In this case, the CA module 711 collects the 
items it desires to manage relating to the service pro- 
vided by the service provider 710 itself, that is, the con- 

20 tract (update) information of the user and the monthly 
base fee or other network rent, performs charge 
processing in units of content, and secures the security 
of a physical layer of the network. 
[0012] The service provider 71 0 distributes profit be- 

25 tween the service provider 710 and the content provid- 
ers 701a, 701b, and 701c when receiving the charge 
information 721 from the CA module 711. 
[0013] At this time, the profit is distributed from the 
service provider 710 to the content providers 701a, 

30 701 b, and 701 c via for example the JASRAC (Japanese 
Society for Rights of Authors, Composers, and Publish- 
ers). Further, the profit of the content provider is distrib- 
uted to the copyright owner, artist, song writer and/or 
composer, and affiliated production company of the re- 

35 lated content data by the JASRAC. 

[0014] Further, the terminal equipment 709, when 
storing the content data 707a, 707b, and 707c decrypt- 
ed by using the content key data Kca, Kcb, and Kcc in 
a RAM type storage medium 723 or the like, rewrites the 

40 SCMS bits of the copyright information 705a, 705b, and 
705c to control copying. Namely, the user side controls 
copying to protect the copyright based on the SCMS bits 
buried in the content data 707a, 707b, and 707c. 
[0015] The SCMS was established for preventing 

45 storing from a CD (compact disc) to a DAT (digital audio 
tape). Copying between one DAT and another DAT is 
still possible. Further, even when burying electronic wa- 
termark information in the content data, when a problem 
arises, only the content provider which provided thecon- 

50 tent data concerned is specified. Illegal copying is not 
prevented by technical means. 

[0016] Accordingly, in the EMD system 700 shown in 
Fig. 1 00, there is the problem in that the right (profit) of 
the content provider is not sufficiently protected. 
55 [0017] Further, in the above EMD system 700, since 
the copyright information of the content provider is bur- 
ied in the content data by the service provider, the con- 
tent provider must inspect if the information has been 
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buried as requested. Further, the content provider must 
inspect if the service provider has distributed the content 
data as contracted. For this reason, there is the problem 
that the load for the inspection is large. 
[0018] Further, in the EIVID system 700, the charging 
information 721 from the terminal equipment 709 of the 
user is processed by the right clearing module 720 of 
the service provider 71 0, so there is a concern if the prof- 
it which should be received by the content provider in 
accordance with the usage of the content data by the 
user can be suitably received by the content provider. 

DISCLOSURE OF THE INVENTION 

[0019] The present invention was made in consider- 
ation with the problem of the above related art and has 
as an object thereof to provide a data providing system 
and a data providing apparatus and methods of the 
same and a data processing apparatus and a manage- 
ment apparatus capable of suitably protecting the profits 
of the owners of rights (related parties) of a content pro- 
vider. 

[0020] Further, the present invention has as another 
object the provision of a data providing system and a 
data providing apparatus and methods of the same and 
a data processing apparatus and a management appa- 
ratus capable of reducing the load of the inspection for 
protecting the profits of the owners of rights of a content 
provider. 

[0021] In order to solve the problems of the prior art 
and achieve the above objects, the data providing sys- 
tem of a first aspect of the present invention is a data 
providing system for distributing content data from a da- 
ta providing apparatus to a data processing apparatus, 
wherein the data providing apparatus distributes a mod- 
ule storing the content data encrypted by using content 
key data, encrypted content key data, and an encrypted 
usage control policy data indicating handling of the con- 
tent data to the data processing apparatus and wherein 
the data processing apparatus decrypts the content key 
data and the usage control policy data stored in the dis- 
tributed module and determines the handling of the con- 
tent data based on the related decrypted usage control 
policy data. 

[0022] In the data providing system of the first aspect 
of the invention, the module storing the content data en- 
crypted by using the content key data, the encrypted 
content key data, and the encrypted usage control policy 
data indicating the handling of the content data is dis- 
tributed from the data providing apparatus to the data 
processing apparatus. 

[0023] Then, in the data processing apparatus, the 
content key data and the usage control policy data 
stored in the distributed module are decrypted, and the 
handling of the content data is determined based on the 
related decrypted usage control policy data. 
[0024] By storing the usage control policy data indi- 
cating the handling of the related content data in the 



module storing the content data in this way, in the data 
processing apparatus, it becomes possible to handle 
(use) the content data based on the usage control policy 
data generated by related parties of the data providing 

5 apparatus. 

[0025] Further, in the data providing system of the first 
aspect of the invention, preferably the data providing ap- 
paratus distributes the module storing the encrypted 
content key data and the usage control policy data to 

10 the data processing apparatus by using distribution key 
data, and the data processing apparatus decrypts the 
content key data and the usage control policy data 
stored in the distributed module by using the distribution 
key data. 

15 [0026] Further, the data providing system of the first 
aspect of the invention preferably further has a manage- 
ment apparatus for managing the distribution key data 
and distributing the distribution key data to the data pro- 
viding apparatus and the data processing apparatus. 

20 [0027] Further, a data processing apparatus of a sec- 
ond aspect of the invention is a data processing appa- 
ratus utilizing content data distributed from a data pro- 
viding apparatus, which receives a module storing con- 
tent data encrypted by using content key data, encrypt- 

25 ed content key data, and encrypted usage control policy 
data indicating the handling of the content data from the 
data providing apparatus, decrypts the content key data 
and the usage control policy data stored in the related 
received module, and determines the handling of the 

30 content data based on the related decrypted usage con- 
trol policy data. 

[0028] Further, a data providing system of a third as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, a data distribution ap- 

35 paratus, and a data processing apparatus, wherein the 
data providing apparatus provides a first module storing 
content data encrypted by using content key data, en- 
crypted content key data, and encrypted usage control 
policy data indicating the handling of the content data to 

40 the data distribution apparatus, the data distribution ap- 
paratus distributes a second module storing the encrypt- 
ed content data, content key data, and usage control 
policy data stored in the provided first module to the data 
processing apparatus, and the data processing appara- 

45 tus decrypts the content key data and the usage control 
policy data stored in the distributed second module and 
determines the handling of the content data based on 
the related decrypted usage control policy data. 
[0029] In the data providing system of the third aspect 

50 of the invention, the first module storing the content data 
encrypted by using the content key data, encrypted con- 
tent key data, and encrypted usage control policy data 
indicating the handling of the content data is provided 
from the data providing apparatus to the data distribu- 

55 tion apparatus. 

[0030] Next, the second module storing the encrypted 
content data, content key data, and usage control policy 
data stored in the provided first module is distributed 
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from the data distribution apparatus to the data process- 
ing apparatus. 

[0031] Next, in the data processing apparatus, the 
content key data and the usage control policy data 
stored in the distributed second module are decrypted, 
and the handling of the content data is determined 
based on the related decrypted usage control policy da- 
ta. 

[0032] Further, in the data providing system of the 

third aspect of the invention, preferably the data distri- 
bution apparatus distributes the second module storing 
price data indicating the price of the content data to the 
data processing apparatus. 

[0033] Further, a data providing system of a fourth as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, at least a first data dis- 
tribution apparatus and a second data distribution ap- 
paratus, and a data processing apparatus, wherein the 
data providing apparatus provides a first module storing 
content data encrypted by using content key data, en- 
crypted content key data, and encrypted usage control 
policy data indicating the handling of the content data to 
the plurality of data distribution apparatuses, the first da- 
ta distribution apparatus distributes the second module 
storing the encrypted content data, content key data, 
and usage control policy data stored in the provided first 
module to the data processing apparatus, the second 
data distribution apparatus distributes a third module 
storing the encrypted content data, content key data, 
and usage control policy data stored in the provided first 
module to the data processing apparatus, and the data 
processing apparatus decrypts the content key data and 
the usage control policy data stored in the distributed 
second module and the third module and determines the 
handling of the content data based on the related de- 
crypted usage control policy data. 
[0034] Further, a data providing system of a fifth as- 
pect of the invention is a data providing system compris- 
ing at least a first data providing apparatus and a second 
data providing apparatus, a data distribution apparatus, 
and a data processing apparatus, wherein the first data 
providing apparatus provides a first module storing first 
content data encrypted by using first content key data, 
encrypted first content key data, and encrypted first us- 
age control policy data indicating the handling of the first 
content data to the data distribution apparatus, the sec- 
ond data providing apparatus provides a second module 
storing second content data encrypted by using second 
content key data, encrypted second content key data, 
and encrypted second usage control policy data indicat- 
ing the handling of the second content data to the data 
distribution apparatus, the data distribution apparatus 
distributes a third module storing the encrypted first con- 
tent data, the first content key data, and the first usage 
control policy data stored in the provided first module 
and the encrypted second content data, the second con- 
tent key data, and the second usage control policy data 
stored in the provided second module to the data 



processing apparatus, and the data processing appara- 
tus decrypts the first content key data and the first usage 
control policy data stored in the distributed third module, 
determines the handling of the first content data based 
5 on the related decrypted first usage control policy data, 
decrypts the second content key data and the second 
usage control policy data stored in the distributed third 
module, and determines the handling of the second con- 
tent data based on the related decrypted second usage 
control policy data. 

[0035] Further, a data providing apparatus of a sixth 
aspect of the invention is a data providing apparatus for 
distributing content data to a data processing apparatus 
for using the content data and distributes a module stor- 
ing content data encrypted by using the content key da- 
ta, encrypted content key data, and encrypted usage 
control policy data indicating the handling of the content 
data to the data processing apparatus. 
[0036] Further, a data providing method of a seventh 
aspect of the invention is a data providing method for 
distributing content data from a data providing appara- 
tus to a data processing apparatus, comprising the 
steps of distributing a module storing content data en- 
crypted by using content key data, encrypted content 
key data, and encrypted usage control policy data indi- 
cating the handling of the content data from the data pro- 
viding apparatus to the data processing apparatus and 
having the data processing apparatus decrypt the con- 
tent key data and the usage control policy data stored 
in the distributed module and determine the handling of 
the content data based on the related decrypted usage 
control policy data. 

[0037] Further, a data providing method of an eighth 
aspect of the invention is a data providing method using 
a data providing apparatus, data distribution apparatus, 
and data processing apparatus, comprising the steps of 
providing a first module storing content data encrypted 
by using content key data, encrypted content key data, 
and encrypted usage control policy data indicating the 
handling of the content data from the data providing ap- 
paratus to the data distribution apparatus, distributing a 
second module storing the encrypted content data, con- 
tent key data, and usage control policy data stored in 
the provided first module from the data distribution ap- 
paratus to the data processing apparatus, and having 
the data processing apparatus decrypt the content key 
data and the usage control policy data stored in the dis- 
tributed second module and determine the handling of 
the content data based on the related decrypted usage 
control policy data. 

[0038] Further, a data providing method of a ninth as- 
pect of the invention is a data providing method using a 
data providing apparatus, at least a first data distribution 
apparatus and second data distribution apparatus, and 
a data processing apparatus, comprising the steps of 
providing a first module storing content data encrypted 
by using content key data, encrypted content key data, 
and encrypted usage control policy data indicating the 



15 



20 



25 



30 



35 



40 



45 



50 



4 



7 



EP 1 120 715 A1 



8 



handling of the content data from the data providing ap- 
paratus to the data distribution apparatuses, distributing 
a second module storing the encrypted content data, 
content key data, and usage control policy data stored 
in the provided first module from the first data distribu- 
tion apparatus to the data processing apparatus, distrib- 
uting a third module storing the encrypted content data, 
content key data, and usage control policy data stored 
in the provided first module from the second data distri- 
bution apparatus to the data processing apparatus, and 
having the data processing apparatus decrypt the con- 
tent key data and the usage control policy data stored 
in the distributed second module and the third module 
and determine the handling of the content data based 
on the related decrypted usage control policy data. 
[0039] Further, a data providing method of a 1 0th as- 
pect of the invention is a data providing method using 
at least a first data providing apparatus and second data 
providing apparatus, a data distribution apparatus, and 
a data processing apparatus, comprising the steps of 
providing a first module storing first content data en- 
crypted by using first content key data, encrypted first 
content key data, and encrypted first usage control pol- 
icy data indicating the handling of the first content data 
from the first data providing apparatus to the data dis- 
tribution apparatus, providing a second module storing 
second content data encrypted by using second content 
key data, encrypted second content key data, and en- 
crypted second usage control policy data indicating the 
handling of the second content data from the second 
data providing apparatus to the data distribution appa- 
ratus, distributing a third module storing the encrypted 
first content data, the first content key data, and the first 
usage control policy data stored in the provided first 
module and the encrypted second content data, the sec- 
ond content key data, and the second usage control pol- 
icy data stored in the provided second module from the 
data distribution apparatus to the data processing ap- 
paratus, and having the data processing apparatus de- 
crypt the first content key data and the first usage control 
policy data stored in the distributed third module, deter- 
mine the handling of the first content data based on the 
related decrypted first usage control policy data, decrypt 
the second content key data and the second usage con- 
trol policy data stored in the distributed third module, and 
determine the handling of the second content data 
based on the related decrypted second usage control 
policy data 

[0040] Further, a data providing system of an 11th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data processing appa- 
ratus, and management apparatus, wherein the data 
providing apparatus distributes content data and usage 
control policy data indicating the handling of the related 
content data to the data processing apparatus and re- 
quests to the management apparatus to certify legitima- 
cy of the usage control policy data, the data processing 
apparatus uses the distributed content data based on 



the distributed usage control policy data, and the man- 
agement apparatus manages the data providing appa- 
ratus and the data processing apparatus and certifies 
the legitimacy of the usage control policy data in re- 

5 sponse to a request from the data providing apparatus. 
[0041] At this time, the legitimacy of the usage control 
policy data is certified by the management apparatus by 
the management apparatus preparing for example sig- 
nature data with respect to the usage control policy data. 

10 [0042] In the data providing system of the 11th aspect 
of the invention, the content data and the usage control 
policy data indicating the handling of the related content 
data are distributed from the data providing apparatus 
to the data processing apparatus. 

15 [0043] Next, the data processing apparatus uses the 
distributed content data based on the distributed usage 
control policy data. 

[0044] Further, the legitimacy of the usage control pol- 
icy data is certified in the management apparatus in re- 

20 sponse to a request from the data providing apparatus. 
[0045] Further, in the data providing system of the 
11th aspect of the invention, preferably the data provid- 
ing apparatus makes the request by transmitting a mod- 
ule storing the usage control policy data, its own identi- 

25 fier, and at least signature data generated by using its 
own secret key data with respect to the usage control 
policy data to the management apparatus. 
[0046] Further, in the data providing system of the 
11th aspect of the invention, preferably the manage- 

30 ment apparatus distributes public key certificate data for 
certifying the legitimacy of the public key data corre- 
sponding to the secret key data of the data providing 
apparatus to the data providing apparatus together with 
the signature data generated by using its own secret key 

35 data, and the data providing apparatus makes a request 
by transmitting a module storing the public key certifi- 
cate data, the usage control policy data, its own identi- 
fier, and the signature data to the management appara- 
tus. 

40 [0047] Further, in the data providing system of the 
11th aspect of the invention, preferably the manage- 
ment apparatus manages distribution key data, distrib- 
utes the related distribution key data to the data 
processing apparatus, generates signature data gener- 
is ated by using its own secret key data with respect to the 
usage control policy data in response to a request from 
the data providing apparatus, encrypts a module storing 
the related generated signature data and the usage con- 
trol policy data by using the distribution key data, and 
50 transmits the same to the data providing apparatus, the 
data providing apparatus distributes a module received 
from the management apparatus to the data processing 
apparatus, and the data processing apparatus decrypts 
the module received from the data providing apparatus 
55 by using the distribution key data, verifies the legitimacy 
of the signature data stored in the related module by us- 
ing the public key data of the management apparatus, 
and uses the distributed content data based on the us- 
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age control policy data stored in the module when it de- 
cides it is legitimate. 

[0048] Further, a data providing system of a 12th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data processing appa- 
ratus, and management apparatus, wherein the data 
providing apparatus encrypts content data by using con- 
tent key data, distributes the related encrypted content 
data to the data processing apparatus, and requests to 
the management apparatus to certify the legitimacy of 
the content key data, the data processing apparatus de- 
crypts the distributed content data by using the content 
key data and uses the related decrypted content data, 
and the management apparatus manages the data pro- 
viding apparatus and the data processing apparatus 
and certifies the legitimacy of the content key data in 
response to a request from the data providing appara- 
tus. 

[0049] In the data providing system of the 1 2th aspect 
of the invention, the content data encrypted by using the 
content key data is distributed from the data providing 
apparatus to the data processing apparatus. 
[0050] Next, the data processing apparatus decrypts 
the distributed content data by using the content key da- 
ta and uses the related decrypted content data. 
[0051] Further, the legitimacy of the content key data 
is certified in the management apparatus in response to 
a request from the data providing apparatus. 
[0052] Further, a data providing system of a 13th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, wherein the data providing apparatus provides 
content data and usage control policy data indicating the 
handling of the related content data to the data distribu- 
tion apparatus and requests to the management appa- 
ratus to certify the legitimacy of the usage control policy 
data, the data distribution apparatus distributes the pro- 
vided content data and the usage control policy data to 
the data processing apparatus, the data processing ap- 
paratus uses the distributed content data based on the 
distributed usage control policy data, and the manage- 
ment apparatus manages the data providing apparatus 
and the data processing apparatus and certifies the le- 
gitimacy of the usage control policy data in response to 
a request from the data providing apparatus. 
[0053] In the data providing system of the 13th aspect 
of the invention, the content data encrypted by using the 
content key data is distributed from the data providing 
apparatus to the data processing apparatus. 
[0054] Next, the data processing apparatus decrypts 
the distributed content data by using the content key da- 
ta and uses the related decrypted content data. 
[0055] Further, the legitimacy of the content key data 
is certified in the management apparatus in response to 
a request from the data providing apparatus. 
[0056] A data providing system of a 1 4th aspect of the 
invention is a data providing system comprising a data 



providing apparatus, data distribution apparatus, data 
processing apparatus, and management apparatus, 
wherein the data providing apparatus encrypts content 
data by using content key data, provides related en- 

5 crypted content data, and usage control policy data in- 
dicating the handling of the related content data to the 
data distribution apparatus, and requests to the man- 
agement apparatus to certify the legitimacy of the con- 
tent key data, the data distribution apparatus distributes 

10 the provided content data and the usage control policy 
data to the data processing apparatus, the data 
processing apparatus uses the content data containing 
the decryption of the content data using the content key 
data based on the distributed usage control policy data, 

f5 and the management apparatus manages the data pro- 
viding apparatus and the data processing apparatus 
and certifies the legitimacy of the content key data in 
response to a request from the data providing appara- 
tus. 

20 [0057] In the data providing system of the 1 4th aspect 
of the invention, the content data encrypted by using the 
content key data and usage control policy data indicat- 
ing the handling of the related content data are provided 
from the data providing apparatus to the data distribu- 

25 tlon apparatus. 

[0058] Next, the content data and the usage control 
policy data provided from the data distribution apparatus 
to the data processing apparatus are distributed to the 
data processing apparatus. 

30 [0059] Next, the data processing apparatus uses the 
content data containing thedecryption of the content da- 
ta using the content key data based on the distributed 
usage control policy data. 

[0060] Further, the management apparatus certifies 
35 the legitimacy of the content key data in response to a 
request from the data providing apparatus. 
[0061] Further, a management apparatus of a 15th 
aspect of the invention is a management apparatus for 
managing a data providing apparatus for distributing 
40 content data and usage control policy data indicating the 
handling of the related content data and a data process- 
ing apparatus for using the distributed content data 
based on the distributed usage control policy data and 
certifies the legitimacy of the usage control policy data 
45 in response to a request from the data providing appa- 
ratus. 

[0062] Further, a management apparatus of a 16th 
aspect of the invention is a management apparatus for 
managing a data providing apparatus for distributing 

50 content data encrypted by using content key data and 
usage control policy data indicating the handling of the 
related content data and a data processing apparatus 
for decrypting the content data distributed based on the 
distributed usage control policy data by using the con- 

55 tent key data, then using the related content data and 
certifies the legitimacy of the content key data in re- 
sponse to a request from the data providing apparatus. 
[0063] Further, a management apparatus of a 17th 
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aspect of the invention is a management apparatus for 
managing a data providing apparatus for providing con- 
tent data and usage control policy data indicating the 
handling of the related content data, a data distribution 
apparatus for distributing the provided content data and 
the usage control policy data, and a data processing ap- 
paratus for using the content data distributed based on 
the distributed usage control policy data and certifies the 
legitimacy of the usage control policy data in response 
to a request from the data providing apparatus. 
[0064] Further, a data providing method of an 18th as- 
pect of the invention is a data providing method using a 
data providing apparatus, data processing apparatus, 
and management apparatus, comprising the steps of 
distributing content data and usage control policy data 
indicating the handling of the related content data from 
the data providing apparatus to the data processing ap- 
paratus, having the data processing apparatus use the 
distributed content data based on the distributed usage 
control policy data, and certifying the legitimacy of the 
usage control policy data in the management apparatus 
in response to a request from the data providing appa- 
ratus. 

[0065] Further, a data providing method of a 1 9th as- 
pect of the invention is a data providing method using a 
data providing apparatus, data processing apparatus, 
and management apparatus, comprising the steps of 
distributing content data encrypted by using content key 
data from the data providing apparatus to the data 
processing apparatus, having the data processing ap- 
paratus decrypt the distributed content data by using the 
content key data, and certifying the legitimacy of the 
content key data in the management apparatus in re- 
sponse to a request from the data providing apparatus. 
[0066] Further, a data providing method of a 20th as- 
pect of the invention is a data providing method using a 
data providing apparatus, data distribution apparatus, 
data processing apparatus, and management appara- 
tus, comprising the steps of providing content data and 
usage control policy data indicating the handling of the 
related content data from the data providing apparatus 
to the data distribution apparatus, distributing the pro- 
vided content data and the usage control policy data 
from the data distribution apparatus to the data process- 
ing apparatus, having the data processing apparatus 
use the distributed content data based on the distributed 
usage control policy data, and certifying the legitimacy 
of the usage control policy data in the management ap- 
paratus in response to a request from the data providing 
apparatus. 

[0067] Further, a data providing method of a 21 st as- 
pect of the invention is a data providing method using a 
data providing apparatus, data distribution apparatus, 
data processing apparatus, and management appara- 
tus, comprising the steps of providing content data en- 
crypted by using content key data and usage control pol- 
icy data indicating the handling of the related content 
data from the data providing apparatus to the data dis- 



tribution apparatus, distributing the content data and the 
usage control policy data provided from the data distri- 
bution apparatus to the data processing apparatus to 
the data processing apparatus, using the content data 

5 containing the decryption of the content data using the 
content key data based on the distributed usage control 
policy data in the data processing apparatus, and certi- 
fying the legitimacy of the content key data in the man- 
agement apparatus in response to a request from the 

10 data providing apparatus. 

[0068] Further, a data providing system of a 22nd as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data processing appa- 
ratus, and management apparatus, wherein the data 

15 providing apparatus distributes content data and usage 
control policy data indicating the handling of the related 
content data to the data processing apparatus, the data 
processing apparatus determines at least one of a pur- 
chase mode and a usage mode of the distributed con- 

20 tent data based on the distributed usage control policy 
data and transmits log data indicating the log of at least 
one of the related determined purchase mode and us- 
age mode to the management apparatus, and the man- 
agement apparatus manages the data providing appa- 

25 ratus and the data processing apparatus and performs 
profit distribution processing for distributing the profit 
obtained accompanied with the purchase and the usage 
of the content data in the data processing apparatus to 
related parties of the data providing apparatus based on 

30 received log data. 

[0069] In the dataproviding system of the 22nd aspect 
of the invention, the content data and the usage control 
policy data indicating the handling of the related content 
data are distributed from the data providing apparatus 

35 to the data processing apparatus. 

[0070] Next, the data processing apparatus deter- 
mines at least one of the purchase mode and the usage 
mode of the distributed content data based on the dis- 
tributed usage control policy data. 

40 [0071] Next, the log data indicating the log of at least 
one of the related determined purchase mode and us- 
age mode is transmitted from the data processing ap- 
paratus to the management apparatus. 
[0072] Next, the management apparatus manages 

45 the data providing apparatus and the data processing 
apparatus and perform the profit distribution processing 
for distributing the profit obtained accompanied with the 
purchase and the usage of the content data in the data 
processing apparatus to related parties of the data pro- 

50 viding apparatus based on the received log data. 

[0073] Further, a data providing system of a 23rd as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 

55 paratus, wherein the data providing apparatus provides 
content data and usage control policy data indicating the 
handling of the related content data to the data distribu- 
tion apparatus, the data distribution apparatus distrib- 
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utes the provided content data and the usage control 
policy data to the data processing apparatus, the data 
processing apparatus has a first module for communi- 
cating with the data distribution apparatus and a second 
module for determining at least one of a purchase mode 
and usage mode of the distributed content data based 
on the distributed usage control policy data and trans- 
mitting log data indicating the log of the related deter- 
mined purchase mode and usage mode to the manage- 
ment apparatus, and the management apparatus man- 
ages the data providing apparatus, data distribution ap- 
paratus, and data processing apparatus and performs 
profit distribution processing for distributing the profit 
obtained accompanied with the data processing appa- 
ratus receiving the distribution of the content data and 
purchasing and using the content data to related parties 
of the data providing apparatus and the data distribution 
apparatus based on the log data received from the sec- 
ond module. 

[0074] In the data providing system of the 23rd aspect 
of the invention, the content data and the usage control 
policy data indicating the handling of the related content 
data are provided from the data providing apparatus to 
the data distribution apparatus. 
[0075] Next, the provided content data and the usage 
control policy data are distributed from the data distri- 
bution apparatus to the data processing apparatus. 
[0076] Next, the data processing apparatus deter- 
mines at least one of the purchase mode and the usage 
mode of the distributed content data based on the dis- 
tributed usage control policy data. 
[0077] Next, the log data indicating the log of the de- 
termined purchase mode and usage mode is transmit- 
ted from the data processing apparatus to the manage- 
ment apparatus. 

[0078] Next, the management apparatus performs 
profit distribution processing for distributing the profit 
obtained accompanied with the data processing appa- 
ratus receiving the distribution of the content data and 
purchasing and using the content data to related parties 
of the data providing apparatus and the data distribution 
apparatus based on the received log data. 
[0079] Further, a data providing system of a 24th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, wherein the data providing apparatus provides 
content data and usage control policy data indicating the 
handling of the related content data to the data distribu- 
tion apparatus, the data distribution apparatus distrib- 
utes the provided content data and the usage control 
policy data to the data processing apparatus and per- 
forms charge processing concerning the distribution of 
the content data based on a data distribution apparatus 
use purchase log data received from the data process- 
ing apparatus, the data processing apparatus has a first 
module for creating the data distribution apparatus use 
purchase log data indicating the log of the purchase of 



the content data distributed from the data distribution 
apparatus and transmitting the same to the data distri- 
bution apparatus and a second module for determining 
at least one of the purchase mode and the usage mode 

5 of the distributed content data based on the distributed 
usage control policy data and transmitting a manage- 
ment apparatus use log data indicating the log of the 
related determined purchase mode and usage mode to 
the management apparatus, and the management ap- 

10 paratus performs profit distribution processing for dis- 
tributing the profit obtained accompanied with the pur- 
chase and the usage of the content data in the data 
processing apparatus to related parties of the data pro- 
viding apparatus and the data distribution apparatus 

15 based on the management apparatus use log data. 
[0080] Further, a data providing system of a 25th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 

20 paratus, wherein the data providing apparatus provides 
the content data to the data distribution apparatus, the 
data distribution apparatus distributes the provided con- 
tent data to the data processing apparatus, the data 
processing apparatus uses the distributed content data, 

25 and the management apparatus manages operation of 
a data providing service by the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatus. 

[0081] Further, a data providing system of a 26th as- 

30 pectof the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, wherein the data providing apparatus provides 
content data to the data distribution apparatus, the data 

35 distribution apparatus distributes the provided content 
data to the data processing apparatus, the data 
processing apparatus uses the distributed content data, 
and the management apparatus manages the operation 
of a data providing service by the data providing appa- 

40 ratus, the data distribution apparatus, and the data 
processing apparatus, wherein the transmission of data 
among the data providing apparatus, the data distribu- 
tion apparatus, the data processing apparatus, and the 
management apparatus is carried out by using mutual 

45 authentication using a public key encryption method, 
signature creation, signature verification, and encryp- 
tion of data by a common key encryption method. 
[0082] Further, a data providing system of a 27th as- 
pect of the invention is a data providing system compris- 

50 ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, wherein the data providing apparatus provides 
content data to the data distribution apparatus, the data 
distribution apparatus distributes the provided content 

55 data to the data processing apparatus, the data 
processing apparatus uses the distributed content data, 
and the management apparatus manages the operation 
of a data providing service by the data providing appa- 
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ratus, the data distribution apparatus, and tine data 
processing apparatus, generates signature data indicat- 
ing that the related data is generated by itself by using 
its own secret key data when each of the data providing 
apparatus, the data distribution apparatus, and the data 
processing apparatus supplies the data to another ap- 
paratus, and generates and manages public l<ey certif- 
icate data of public l<ey data corresponding to the secret 
key data of the data providing apparatus, the data dis- 
tribution apparatus, and the data processing apparatus 
when the legitimacy of the signature data corresponding 
to the data is verified by using the public key data of the 
related other apparatus when receiving the supply of the 
related data from the other apparatus, wherein the data 
providing apparatus, the data distribution apparatus, 
and the data processing apparatus acquire the their own 
public key certificate data from the management appa- 
ratus before communicating with the other apparatus 
and transmit the related acquired public key certificate 
data to the other apparatus. 

[0083] Further, a data providing system of a 28th as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, the data providing apparatus provides content 
data to the data distribution apparatus, the data distri- 
bution apparatus distributes the provided content data 
to the data processing apparatus, the data processing 
apparatus uses the distributed content data, and the 
management apparatus manages the operation of a da- 
ta providing service by the data providing apparatus, the 
data distribution apparatus, and the data processing ap- 
paratus, generates the signature data indicating that the 
related data is generated by itself by using its own secret 
key data when each of the data providing apparatus, the 
data distribution apparatus, and the data processing ap- 
paratus supplies data to another apparatus, and gener- 
ates and manages public key certificate data of public 
key data corresponding to the secret key data of the data 
providing apparatus, the data distribution apparatus, 
and the data processing apparatus when the legitimacy 
of the signature data corresponding to the data is veri- 
fied by using the public key data of the related other ap- 
paratus when receiving the supply of the related data 
from the other apparatus, wherein the data providing ap- 
paratus, the data distribution apparatus, and the data 
processing apparatus acquire their own public key cer- 
tificate data from the management apparatus before 
communicating with the other apparatus and transmit 
the related acquired public key certificate data to the oth- 
er apparatus at the communication. 
[0084] Further, a data providing system of a 29th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the data providing 
apparatus provides content data to the data distribution 
apparatus, the data distribution apparatus distributes 
the provided content data to the data processing appa- 



ratus, the data processing apparatus uses the distribut- 
ed content data, and the management apparatus man- 
ages the operation of a data providing service by the 
data providing apparatus, the data distribution appara- 
5 tus, and the data processing apparatus, generates sig- 
nature data indicating that the related data is generated 
by itself by using its own secret key data when each of 
the data providing apparatus, the data distribution ap- 
paratus, and the data processing apparatus supplies 
10 data to another apparatus, generates and manages 
public key certificate data of public key data correspond- 
ing to the secret key data of the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatus when the legitimacy of the signa- 
ls ture data corresponding to the data is verified by using 
the public key data of the related other apparatus when 
receiving the supply of the related data from the other 
apparatus, and generates a public key certificate revo- 
cation list for specifying public key certificate data to be 
20 invalidated among the generated public key certificate 
data and thereby to restrict the communication or the 
distribution using public key certificate data specif led by 
the public key certificate revocation list by the data pro- 
viding apparatus, the data distribution apparatus, and 
25 the data processing apparatus. 

[0085] Further, a data providing system of a 30th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the data providing 
30 apparatus provides content data to the data distribution 
apparatus, the data distribution apparatus distributes 
the provided content data to the data processing appa- 
ratus, the management apparatus manages the opera- 
tion of a data providing service by the data providing 
35 apparatus, the data distribution apparatus, and the data 
processing apparatus, generates signature data indicat- 
ing that the related data is generated by an apparatus 
itself by using its own secret key data when the data 
providing apparatus supplies data to another apparatus, 
40 generates and manages public key certificate data of 
public key data corresponding to the secret key data of 
the data providing apparatus for when another appara- 
tus verifies the legitimacy of the related signature data 
by using the public key data corresponding to the secret 
45 key data, generates a public key certificate revocation 
list for specifying public key certificate data to be inval- 
idated among the generated public key certificate data, 
distributes the related public key certificate revocation 
list to the data processing apparatus, and the data 
50 processing apparatus verifies whether or not public key 
certificate data of the data providing apparatus providing 
the distributed content data is invalid based on the public 
key certificate revocation list distributed from the man- 
agement apparatus and controls the usage of the dis- 
ss tributed content data based on the result of the related 
verification. 

[0086] Further, a data providing system of a 31st as- 
pect of the invention has a data providing apparatus, da- 
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ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the management 
apparatus manages the operation of a data providing 
service by the data providing apparatus, the data distri- 
bution apparatus, and the data processing apparatus, 
generates signature data indicating that the related data 
is generated by an apparatus itself by using its own se- 
cret key data when the data providing apparatus sup- 
plies data to another apparatus, generates and manag- 
es public key certificate data of public key data corre- 
sponding to the secret key data of the data providing 
apparatus for when another apparatus verifies the legit- 
imacy of the related signature data by using the public 
key data corresponding to the secret key data, gener- 
ates a public key certificate revocation list for specifying 
public key certificate data to be invalidated among the 
generated public key certificate data, distributes the re- 
lated public key certificate revocation list to the data dis- 
tribution apparatus, and the data distribution apparatus 
verifies whether or not public key certificate data of the 
data providing apparatus providing the provided content 
data is invalid based on the public key certificate revo- 
cation list distributed from the management apparatus, 
and controls the distribution of the provided content data 
to the data processing apparatus based on the result of 
the related verification. 

[0087] Further, a data providing system of a 32nd as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the management 
apparatus manages the operation of a data providing 
service by the data providing apparatus, the data distri- 
bution apparatus, and the data processing apparatus, 
generates signature data indicating that the related data 
is generated by an apparatus itself by using its own se- 
cret key data when the data distribution apparatus sup- 
plies data to another apparatus, generates and manag- 
es public key certificate data of public key data corre- 
sponding to the secret key data of the data distribution 
apparatus for when another apparatus verifies the legit- 
imacy of the related signature data by using the public 
key data corresponding to the secret key data, gener- 
ates a public key certificate revocation list for specifying 
public key certificate data to be invalidated among the 
generated public key certificate data, and distributes the 
related public key certificate revocation list to the data 
providing apparatus, the data providing apparatus veri- 
fies whether or not public key certificate data of the data 
distribution apparatus of the destination of provision of 
the content data is invalid and controls the provision of 
the content data to the data distribution apparatus based 
on the result of the related verification, the data distri- 
bution apparatus distributes the provided content data 
to the data processing apparatus, and the data process- 
ing apparatus uses the distributed content data. 
[0088] Further, a data providing system of a 33rd as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 



and management apparatus, wherein the management 
apparatus manages the operation of a data providing 
service by the data providing apparatus, the data distri- 
bution apparatus, and the data processing apparatus, 

5 generates signature data indicating that the related data 
is generated by an apparatus itself by using its own se- 
cret key data when the data distribution apparatus sup- 
plies data to another apparatus, generates and manag- 
es public key certificate data of public key data corre- 

10 sponding to the secret key data of the data distribution 
apparatus for when another apparatus verifies the legit- 
imacy of the related signature data by using the public 
key data corresponding to the secret key data, gener- 
ates a public key certificate revocation list for specifying 

^5 public key certificate data to be invalidated among the 
generated public key certificate data, and distributes the 
related public key certificate revocation list to the data 
distribution apparatus, the data providing apparatus 
provides content data to the data distribution apparatus, 

20 the data distribution apparatus distributes the provided 
content data and the distributed public key certificate 
revocation list to the data processing apparatus, and the 
data processing apparatus verifies whether or not public 
key certificate data of the data distribution apparatus 

25 distributing the distributed content data is invalid based 
on the distributed public key certificate revocation list 
and controls the usage of the distributed content data 
based on the result of the related verification. 
[0089] Further, a data providing system of a 34th as- 

30 pact of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the management 
apparatus manages the operation of a data providing 
service by the data providing apparatus, the data distri- 

35 bution apparatus, and the data processing apparatus, 
generates signature data indicating that the related data 
is generated by an apparatus itself by using its own se- 
cret key data when the data distribution apparatus sup- 
plies data to another apparatus, generates and manag- 

40 es public key certificate data of public key data corre- 
sponding to the secret key data of the data distribution 
apparatus for when another apparatus verifies the legit- 
imacy of the related signature data by using public key 
data corresponding to the secret key data, generates a 

45 public key certificate revocation list for specifying public 
key certificate data to be invalidated among the gener- 
ated public key certificate data, and distributes the re- 
lated public key certificate revocation list to the data 
processing apparatus, the data providing apparatus 

50 provides content data to the data distribution apparatus, 
the data distribution apparatus distributes the provided 
content data to the data processing apparatus, and the 
data processing apparatus verifies whether or not public 
key certificate data of the data distribution apparatus 

55 distributing the distributed content data is invalid based 
on the distributed public key certificate revocation list 
and controls the usage of the distributed content data 
based on the result of the related verification. 
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[0090] Further, a data providing system of a 35th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, data processing apparatus, 
and management apparatus, wherein the management 
apparatus manages the operation of a data providing 
service by the data providing apparatus, the data distri- 
bution apparatus, and the data processing apparatus, 
generates signature data indicating that the related data 
is generated by an apparatus itself by using its own se- 
cret key data when the data distribution apparatus sup- 
plies data to another apparatus, generates and manag- 
es public key certificate data of public key data corre- 
sponding to the secret key data of the data distribution 
apparatus for when another apparatus verifies the legit- 
imacy of the related signature data by using public key 
data corresponding to the secret key data, generates a 
public key certificate revocation list for specifying public 
key certificate data to be invalidated among the gener- 
ated public key certificate data, and distributes the re- 
lated public key certificate revocation list to the data pro- 
viding apparatus, the data providing apparatus provides 
content data and the public key certificate revocation list 
to the data distribution apparatus, the data distribution 
apparatus distributes the provided content data and 
public key certificate revocation list to the data process- 
ing apparatus, and the data processing apparatus veri- 
fies whether or not public key certificate data of the data 
distribution apparatus distributing the distributed con- 
tent data is invalid based on the distributed public key 
certificate revocation list and controls the usage of the 
distributed content data based on the result of the relat- 
ed verification. 

[0091] Further, a data providing system of a 36th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, a plurality of data processing 
apparatuses, and a management apparatus, wherein 
the management apparatus manages the operation of 
a data providing service by the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatuses, generates signature data indi- 
cating that the related data is generated by an apparatus 
itself by using its own secret key data when a data 
processing apparatus supplies data to another appara- 
tus, generates and manages public key certificate data 
of public key data corresponding to the secret key data 
of the data processing apparatuses for when another 
apparatus verifies the legitimacy of the related signature 
data by using the public key data corresponding to the 
secret key data, generates a public key certificate rev- 
ocation list for specifying public key certificate data to 
be invalidated among the generated public key certifi- 
cate data, and distributes the related public key certifi- 
cate revocation list to the data providing apparatus, the 
data providing apparatus provides content data and the 
public key certificate revocation list to the data distribu- 
tion apparatus, the data distribution apparatus distrib- 
utes the provided content data and a public key certifi- 
cate revocation list to the data processing apparatuses. 



and the data processing apparatuses verify whether or 
not public key certificate data of the other data process- 
ing apparatuses are invalid based on the public key cer- 
tificate revocation list distributed from the data distribu- 
5 tion apparatus and control the communication with other 
data processing apparatuses based on the result of the 
related verification. 

[0092] Further, a data providing system of a 37th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, a plurality of data processing 
apparatuses, and a management apparatus, wherein 
the management apparatus manages the operation of 
a data providing service by the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatuses, generates signature data indi- 
cating that the related data is generated by an apparatus 
itself by using its own secret key data when a data 
processing apparatus supplies data to another appara- 
tus, generates and manages public key certificate data 
of public key data corresponding to the secret key data 
of the data processing apparatuses for when another 
apparatus verifies the legitimacy of the related signature 
data by using the public key data corresponding to the 
secret key data, generates a public key certificate rev- 
ocation list for specifying public key certificate data to 
be invalidated among the generated public key certifi- 
cate data, and distributes the related public key certifi- 
cate revocation list to the data providing apparatus, the 
data providing apparatus provides content data to the 
data distribution apparatus, the data distribution appa- 
ratus distributes the provided content data and the dis- 
tributed public key certificate revocation list to the data 
processing apparatuses, and the data processing appa- 
ratuses verify whether or not public key certificate data 
of other data processing apparatuses are invalid based 
on the public key certificate revocation list distributed 
from the data distribution apparatus, and control the 
communication with other data processing apparatuses 
based on the result of the related verification. 
[0093] Further, a data providing system of a 38th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, a plurality of data processing 
apparatuses, and a management apparatus, wherein a 
data processing apparatus supplies registration data, 
indicating an already registered data processing appa- 
ratus connected in a predetermined network to which is 
connected, to the management apparatus, refers to a 
revocation flag in registration data supplied from the 
management apparatus and restricts communication 
with another data processing apparatus having public 
key certificate data indicated as invalid by the revocation 
flag, the management apparatus manages the opera- 
tion of a data providing service by the data providing 
apparatus, the data distribution apparatus, and the data 
processing apparatuses, generates and manages pub- 
lic key certificate data of public key data corresponding 
to the secret key data for when a data processing appa- 
ratus generates signature data indicating legitimacy of 
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data using its own secret key data wlien supplying data 
to another apparatus, generates a public key certificate 
revocation list for specifying public key certificate data 
to be invalidated among the generated public key cer- 
tificate data, stores the related public key certificate rev- 
ocation list, generates new registration data by setting 
the revocation flag in the registration data supplied from 
data processing apparatuses based on the related pub- 
lic key certificate revocation list, and distributes the re- 
lated generated registration data to the data processing 
apparatuses, the data providing apparatus provides 
content data to the data distribution apparatus, and the 
data distribution apparatus distributes the provided con- 
tent data to the data processing apparatuses. 
[0094] Further, a data providing system of a 39th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, a plurality of data processing 
apparatuses, and a management apparatus, wherein 
the management apparatus manages the operation of 
a data providing service by the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatuses, generates and manages pub- 
lic key certificate data of public key data corresponding 
to the secret key data for when a data processing appa- 
ratus generates signature data indicating the legitimacy 
of data by using its own secret key data when supplying 
the related data to another apparatus, generates a pub- 
lic key certificate revocation list for specifying public key 
certificate data to be invalidated among the generated 
public key certificate data, and distributes the related 
public key certificate revocation list to the data providing 
apparatus, the data providing apparatus provides con- 
tent data and the public key certificate revocation list to 
the data distribution apparatus, the data distribution ap- 
paratus distributes the provided content data and the 
public key certificate revocation list to the data process- 
ing apparatuses, and a data processing apparatus sets 
a revocation flag in registration data indicating an al- 
ready registered data processing apparatus connected 
in a predetermined network to which it is connected 
based on the distributed public key certificate revocation 
list and restricts communication with another data 
processing apparatus having public key certificate data 
indicated as invalid by the related revocation flag. 
[0095] Further, a data providing system of a 40th as- 
pect of the invention has a data providing apparatus, da- 
ta distribution apparatus, a plurality of data processing 
apparatuses, and a management apparatus, wherein 
the management apparatus manages the operation of 
a data providing service by the data providing appara- 
tus, the data distribution apparatus, and the data 
processing apparatuses, generates and manages pub- 
lic key certificate data of public key data corresponding 
to the secret key data for when a data processing appa- 
ratus generates signature data indicating the legitimacy 
of the data by using its own secret key data when sup- 
plying the related data to another apparatus, generates 
a public key certificate revocation list for specifying pub- 



lic key certificate data to be invalidated among the gen- 
erated public key certificate data, and distributes the re- 
lated public key certificate revocation list to the data dis- 
tribution apparatus, the data providing apparatus pro- 

5 vides content data to the data distribution apparatus, the 
data distribution apparatus distributes the provided con- 
tent data and the public key certificate revocation list to 
the data processing apparatuses, and a data processing 
apparatus sets a revocation flag in registration data in- 

10 dicating an already registered data processing appara- 
tus connected in a predetermined network to which it is 
connected based on the distributed public key certificate 
revocation list and restricts communication with another 
data processing apparatus having public key certificate 

15 data indicated as invalid by the related revocation flag. 
[0096] Further, a data providing system of a 41st as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 

20 paratus, wherein the data providing apparatus provides 
content data and usage control policy data indicating the 
handling of the related content data to the data distribu- 
tion apparatus, the data distribution apparatus distrib- 
utes the provided content data and the usage control 

25 policy data to the data processing apparatus, the data 
processing apparatus has a first module for communi- 
cating with the data distribution apparatus and a second 
module for determining at least one of a purchase mode 
and usage mode of the distributed content data based 

30 on the distributed usage control policy data and trans- 
mitting log data indicating the log of the related deter- 
mined purchase mode and usage mode to the manage- 
ment apparatus, the management apparatus manages 
the data providing apparatus, data distribution appara- 

35 tus, and data processing apparatus and has a settle- 
ment function for performing profit distribution process- 
ing for distributing the profit obtained accompanied with 
the data processing apparatus receiving distribution of 
the content data and purchasing and using the content 

40 data to related parties of the data providing apparatus 
and the data distribution apparatus based on the log da- 
ta received from the second module and performing set- 
tlement based on the result of the related profit distribu- 
tion processing and a right management function for 

45 registering the usage control policy data. 

[0097] Further, a data providing system of a 42nd as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 

50 paratus, wherein the data providing apparatus provides 
content data and usage control policy data indicating the 
handling of the related content data to the data distribu- 
tion apparatus, the data distribution apparatus has a 
charging function for performing settlement processing 

55 by using settlement claim data distributed from the man- 
agement apparatus and distributes the provided content 
data and the usage control policy data to the data 
processing apparatus, the data processing apparatus 
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has a first module for communicating with the data dis- 
tribution apparatus and a second module for determin- 
ing at least one of a purchase mode and usage mode 
of the distributed content data based on the distributed 
usage control policy data and transmitting log data indi- 
cating the log of the related determined purchase mode 
and usage mode to the management apparatus, the 
management apparatus manages the data providing 
apparatus, data distribution apparatus, and data 
processing apparatus and has a settlement claim data 
creation function for performing profit distribution 
processing for distributing the profit obtained accompa- 
nied with the data processing apparatus receiving dis- 
tribution of the content data and purchasing and using 
the content data to related parties of the data providing 
apparatus and the data distribution apparatus based on 
the log data received from the second module, creating 
settlement claim data used when performing settlement 
based on the result of the related profit distribution 
processing, and supplying the same to the data distri- 
bution apparatus and a right management function for 
registering the usage control policy data. 
[0098] Further, a data providing system of a 43rd as- 
pect of the invention is a data providing system compris- 
ing a data providing apparatus, data distribution appa- 
ratus, data processing apparatus, and management ap- 
paratus, wherein the data providing apparatus has a 
charging function for performing settlement processing 
by using settlement claim data distributed from the man- 
agement apparatus and provides content data and us- 
age control policy data indicating the handling of the re- 
lated content data to the data distribution apparatus, the 
data distribution apparatus distributes the provided con- 
tent data and the usage control policy data to the data 
processing apparatus, the data processing apparatus 
has a first module for communicating with the data dis- 
tribution apparatus and a second module for determin- 
ing at least one of a purchase mode and usage mode 
of the distributed content data based on the distributed 
usage control policy data and transmitting log data indi- 
cating the log of the related determined purchase mode 
and usage mode to the management apparatus, the 
management apparatus manages the data providing 
apparatus, data distribution apparatus, and data 
processing apparatus and has a settlement claim data 
creation function for performing profit distribution 
processing for distributing the profit obtained accompa- 
nied with the data processing apparatus receiving the 
distribution of the content data and purchasing and us- 
ing the content data to related parties of the data pro- 
viding apparatus and the data distribution apparatus 
based on the log data received from the second module, 
creating settlement claim data used when performing 
settlement based on the result of the related profit dis- 
tribution processing, and distributing the same to the da- 
ta providing apparatus and a right management function 
for registering the usage control policy data. 
[0099] Further, a management apparatus of a 44th 



aspect of the invention is a management apparatus for 
managing a data providing apparatus for distributing 
content data and usage control policy data indicating the 
handling of the related content data and a data process- 

5 ing apparatus for determining at least one of a purchase 
mode and a usage mode of the distributed content data 
based on the distributed usage control policy data and 
creating log data indicating the log of at least one of the 
related determined purchase mode and usage mode 

10 and receives the log data from the data processing ap- 
paratus and performs profit distribution processing for 
distributing the profit obtained accompanied with the 
purchase and the usage of the content data in the data 
processing apparatus to related parties of the data pro- 

15 viding apparatus based on the related received log data. 
[0100] Further, a management apparatus of a 45th 
aspect of the invention is a management apparatus for 
managing a data providing apparatus for providing con- 
tent data and usage control policy data indicating the 

20 handling of the related content data, a data distribution 
apparatus for distributing the provided content data and 
the usage control policy data, and a data processing ap- 
paratus for determining at least one of a purchase mode 
and usage mode of the distributed content data based 

25 on the distributed usage control policy data and creating 
log data indicating the log of at least one of the related 
determined purchase mode and usage mode and per- 
forms profit distribution processing for distributing the 
profit obtained accompanied with the data processing 

30 apparatus receiving the distribution of the content data 
and purchasing and using the content data to related 
parties of the data providing apparatus and the data dis- 
tribution apparatus based on the received log data. 
[0101] Further, a data processing apparatus of a 46th 

35 aspect of the invention is a data processing apparatus 
for receiving distribution of content data and usage con- 
trol policy data indicating the handling of the related con- 
tent data from a data providing apparatus and transmit- 
ting the log data to a management apparatus for per- 

40 forming profit distribution processing for distributing the 
profit obtained accompanied with the purchase and us- 
age of the related distributed content data to related par- 
ties of the data providing apparatus based on the pre- 
determined log data, determines at least one of a pur- 

45 chase mode and usage mode of the distributed content 
data based on the distributed usage control policy data, 
and transmits the log data indicating the log of the de- 
termined designation mode and usage mode to the 
management apparatus. 

50 [01 02] Further, a data processing apparatus of a 47th 
aspect of the invention is a data processing apparatus 
for receiving distribution of content data and usage con- 
trol policy data from a data distribution apparatus receiv- 
ing the provision of content data and usage control pol- 

55 icy data indicating the handling of the related content 
data from a data providing apparatus and transmitting 
log data to a management apparatus for performing 
profit distribution processing for distributing the profit 
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obtained accompanied witli the purchase and usage of 
the distributed content data to related parties of the data 
providing apparatus and the data distribution apparatus 
based on predetermined log data and has a first module 
for communicating with the data distribution apparatus 
and a second module for determining at least one of a 
purchase mode and usage mode of the distributed con- 
tent data based on the distributed usage control policy 
data and transmitting log data indicating the log of the 
related determined purchase mode and usage mode to 
the management apparatus. 

[01 03] Further, a data processing apparatus of a 48th 

aspect of the invention is a data processing apparatus 
for receiving the distribution of content data and usage 
control policy data indicating the handling of the related 
content data from a data providing apparatus via a data 
distribution apparatus and transmitting the log data to a 
management apparatus for performing profit distribution 
processing for distributing the profit obtained accompa- 
nied with the purchase and usage of the related distrib- 
uted content data to related parties of the data providing 
apparatus and the data distribution apparatus based on 
the management apparatus use log data and has a first 
module for creating data distribution apparatus use pur- 
chase log data indicating the log of the purchase of the 
content data distributed from the data distribution appa- 
ratus and transmitting the same to the data distribution 
apparatus and a second module for determining at least 
one of a purchase mode and usage mode of the distrib- 
uted content data based on the distributed usage control 
policy data and transmitting the management apparatus 
use log data indicating the log of the related determined 
purchase mode and usage mode to the management 
apparatus. 

[0104] Further, a data providing method of a 49th as- 
pect of the invention is a data providing method using a 
data providing apparatus, data processing apparatus, 
and management apparatus comprising the steps of 
distributing content data and usage control policy data 
indicating the handling of the related content data from 
the data providing apparatus to the data processing ap- 
paratus, having the data processing apparatus deter- 
mine at least one of the purchase mode and the usage 
mode of the distributed content data based on the dis- 
tributed usage control policy data and transmitting log 
data indicating the log of at least one of the related de- 
termined purchase mode and usage mode to the man- 
agement apparatus, and having the management appa- 
ratus perform profit distribution processing for distribut- 
ing the profit obtained accompanied with the purchase 
and the usage of the content data in the data processing 
apparatus to related parties of the data providing appa- 
ratus based on the received log data. 
[0105] Further, a data providing method of a 50th as- 
pect of the invention is a data providing method using a 
data providing apparatus, data distribution apparatus, 
data processing apparatus, and management appara- 
tus comprising the steps of providing content data and 



usage control policy data indicating the handling of the 
related content data from the data providing apparatus 
to the data distribution apparatus, distributing the pro- 
vided content data and the usage control policy data 

5 from the data distribution apparatus to the data process- 
ing apparatus, having the data processing apparatus 
determine at least one of the purchase mode and the 
usage mode of the distributed content data based on 
the distributed usage control policy data and transmit- 

10 ting log data indicating the log of the related determined 
purchase mode and usage mode to the management 
apparatus, and having the management apparatus per- 
form profit distribution processing for distributing the 
profit obtained accompanied with the data processing 

^5 apparatus receiving the distribution of the content data 
and purchasing and using the content data to related 
parties of the data providing apparatus and the data dis- 
tribution apparatus based on the log data received from 
the second module. 

20 [01 06] Further, a data providing method of a 51 st as- 
pect of the invention is a data providing method using a 
data providing apparatus, data distribution apparatus, 
data processing apparatus, and management appara- 
tus comprising the steps of providing content data and 

25 usage control policy data indicating the handling of the 
related content data from the data providing apparatus 
to the data distribution apparatus, distributing the con- 
tent data and the usage control policy data provided 
from the data distribution apparatus to the data process- 

30 ing apparatus to the data processing apparatus, having 
the data processing apparatus generate data distribu- 
tion apparatus use purchase log data indicating the log 
of the purchase of the content data distributed from the 
data distribution apparatus and transmitting the same to 

35 the data distribution apparatus, determine at least one 
of a purchase mode and usage mode of the distributed 
content data based on the distributed usage control pol- 
icy data, and transmit management apparatus use log 
data indicating the log of the related determined pur- 

40 chase mode and usage mode to the management ap- 
paratus, having the management apparatus clear the 
profit obtained accompanied with the purchase and the 
usage of the content data in the data processing appa- 
ratus to related parties of the data providing apparatus 

45 and the data distribution apparatus based on the man- 
agement apparatus use log data, and having the data 
distribution apparatus perform charging processing 
concerning the distribution of the content data based on 
the data distribution apparatus use purchase log data 

50 received from the data processing apparatus. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0107] Figure 1 is a view of the overall configuration 
55 of an EMD system of a first embodiment of the present 
invention. 

[01 08] Figure 2 is a functional block diagram of a con- 
tent provider shown in Fig. 1 and a view of the flow of 
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data concerning data transferred with a SAM of a user 
liome network. 

[0109] Figure 3 is a functional block diagram of the 
content provider shown in Fig. 1 and a view of the flow 
of the data concerning the data transferred between the 
content provider and an ElVID service center. 
[01 10] Figure 4 is a view for explaining a format of a 
secure container transmitted from the content provider 
shown in Fig. 1 to a SAM. 

[0111] Figure 5 is a view for explaining a correspond- 
ence between an OSI layer and a definition of the secure 
container of the present embodiment. 
[0112] Figure 6 is a view for explaining a ROM type 
storage medium. 

[0113] Figure 7A is a view for explaining a format of 
a right registration request use module transmitted from 
the content provider to the EMD service center, while 
Fig. 7B is a view for explaining an authorization certifi- 
cate module transmitted from the EMD service center 
to the content provider. 

[01 1 4] Figure 8 is a flowchart of processing where the 
content provider requests public key certificate data for 
certifying legitimacy of public key data corresponding to 
its own secret key data to the EMD service center in the 
first embodiment. 

[0115] Figure 9 is a flowchart of processing where the 
content provider transmits a secure container to a SAM 
of the user home network in the first embodiment. 
[01 16] Figure 1 0 is a functional block diagram of the 
EMD service center shown in Fig. 1 and a view of the 
flow of the data related to the data transferred with the 
content provider. 

[0117] Figure 11 is a functional block diagram of the 
EMD service center shown in Fig. 1 and a view of the 
flow of the data related to the data transferred between 
a SAM and a settlement organization shown in Fig. 1 . 
[0118] Figure 12 is a flowchart of processing where 
the EMD service center receives a request for issuance 
of public key certificate data from the content provider 
in the first embodiment. 

[0119] Figure 13 is a flowchart of processing where 
the EMD service center receives a request for issuance 
of public key certificate data from a SAM in the first em- 
bodiment. 

[0120] Figure 14 is a flowchart of processing where 
the EMD service center receives a request for registra- 
tion of usage control policy data and content key data 
from the content provider in the first embodiment. 
[0121] Figure 15 is a flowchart of processing where 
the EMD service center performs settlement processing 
in the first embodiment. 

[0122] Figure 1 6 is a view of the configuration of a net- 
work apparatus in the user home network shown in Fig. 
1. 

[0123] Figure 17 is a functional block diagram of a 
SAM in the user home network shown in Fig. 1 and a 
view of the flow of the data up to decryption of the secure 
container received from the content provider. 



[0124] Figure 18 is a view for explaining the data 
stored in an external memory shown in Fig. 16. 
[0125] Figure 19 is a view for explaining the data 
stored in a stack memory. 
5 [0126] Figure 20 is another view of the configuration 
of the network apparatus in the user home network 
shown in Fig. 1 . 

[0127] Figure 21 is a view for explaining the data 
stored in a storage unit shown in Fig. 1 7. 
10 [0128] Figure 22 is a flowchart of processing in a SAM 
when inputting the secure container from the content 
provider and decrypting a key file KF in the secure con- 
tainer in the first embodiment. 

[0129] Figure 23 is a functional block diagram of a 

^5 SAM in the user home network shown in Fig. 1 and a 
view of the flow of the data related to the processing of 
using and purchasing the content data. 
[0130] Figure 24 is a flowchart of processing up to de- 
termination of a purchase mode of the secure container 

20 downloaded from the content provider in a download 
memory in the first embodiment. 
[0131] Figure 25 is a flowchart of processing in the 
case of reproduction of content data with the purchase 
mode already determined stored in the download mem- 

25 ory in the first embodiment. 

[0132] Figure 26 is a view for explaining the flow of 
the processing in a SAM of the source of transfer when 
transferring a content file with the purchase mode al- 
ready determined downloaded in the download memory 

30 of the network apparatus shown in Fig. 16 to a SAM of 
an AV apparatus. 

[0133] Figure 27 is a view of the flow of the data in a 
SAM of the source of transfer in the case shown in Fig. 
26. 

35 [0134] Figure 28 is a flowchart of the processing in a 
SAM when transferring the content file and the key file 
with the purchase mode already determined therein 
downloaded in the download memory of the network ap- 
paratus to a SAM of another AV apparatus in the first 

40 embodiment. 

[0135] Figure 29 is a view for explaining the format of 
a secure container with the purchase mode already de- 
termined. 

[0136] Figure 30 is aviewof the flow of the data when 
45 writing an input content file etc. into a RAM type or ROM 
type storage medium in the SAM of the source of trans- 
fer in the case shown in Fig. 26. 
[0137] Figure 31 is a flowchart of the processing in the 
SAM when writing a content file input from another SAM 
50 etc. into a storage medium of a RAM type or the like in 
the first embodiment. 

[0138] Figure 32 is a view for explaining the flow of 
the processing when determining the purchase mode in 
an AV apparatus when the user home network receives 
55 off-line the distribution of the ROM type storage medium 
shown in Fig. 6 wherein the purchase mode of the con- 
tent has not yet been determined. 
[0139] Figure 33 is a view of the flow of the data in a 
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SAM in the case shown in Fig. 32. 
[0140] Figure 34 isaflowchartof processing when de- 
termining the purchase mode in an AV apparatus when 
the user home network receives off-line the distribution 
of the ROIVI type storage medium shown in Fig. 5 where- 
in the purchase mode of the content has not yet been 
determined in the first embodiment. 
[0141] Figure 35 is a flowchart continuing from the 
flowchart of Fig. 34. 

[0142] Figure 36 is a view for explaining the flow of 
processing when reading a secure container from a 
ROM type storage medium wherein the purchase mode 
of the content has not yet been determined in an AV ap- 
paratus in the user home network, transferring this to 
another AV apparatus, and writing the same into a RAM 
type storage medium. 

[01 43] Figure 37 is a flowchart of processing of a first 
AV apparatus when reading a secure container from a 
ROM type storage medium wherein the purchase mode 
of the content has not yet been determined in a first AV 
apparatus as shown in Fig. 36, transferring this to a sec- 
ond AV apparatus, determining the purchase mode in 
the second AV apparatus, and writing the same into a 
RAM type storage medium. 

[0144] Figure 38 is a flowchart of the processing of 

the second AV apparatus of the case shown in Fig. 37. 
[0145] Figure 39 is a flowchart continuing from the 
flowchart shown in Fig. 38. 

[01 46] Figure 40 is a view of the flow of the data in the 
SAM of the source of transfer in the case shown in Fig. 
36. 

[01 47] Figure 41 is a view of the flow of the data in the 
SAM of the source of transfer in the case shown in Fig. 
36. 

[0148] Figure 42 is a view for explaining the format of 
the data transferred by an in-band method and an out- 
of-band method among the content provider, EM D serv- 
ice center, and SAM shown in Fig. 1 . 
[0149] Figure 43 is a view for explaining the mode of 
the data transferred by the in-band method and the out- 
of-band method among the content provider, EM D serv- 
ice center, and SAM shown in Fig. 1 . 
[0150] Figure 44 is a view for explaining an example 
of a connection configuration of apparatuses to a bus. 
[0151] Figure 45 is a view for explaining a data format 
of a SAM registration list. 

[01 52] Figure 46 is a flowchart of the overall operation 
of the content provider shown in Fig. 1 . 
[0153] Figure 47 is a view for explaining a second 
modification of the first embodiment of the present in- 
vention. 

[0154] Figure 48 is a view for explaining a third mod- 
ification of the first embodiment of the present invention. 
[01 55] Figure 49 is a view of the overall configuration 
of the EMD system of a second embodiment of the 
present invention. 

[0156] Figure 50 is a functional block diagram of the 
content provider shown in Fig. 49 and a view of the flow 



of the data related to the secure container transmitted 
to a service provider. 

[0157] Figure 51 is functional block diagram of the 
service provider shown in Fig. 49 and a view of the flow 
5 of the data transferred with the user home network. 
[0158] Figure 52 is a flowchart of the processing of 
the service provider when preparing a secure container 
from a secure container supplied from the content pro- 
vider and distributing this to the user home network in 
the second embodiment. 

[0159] Figure 53 is a view for explaining the mode of 
the secure container transmitted from the service pro- 
vider shown in Fig. 49 to the user home network. 
[0160] Figure 54 is a functional block diagram of the 
service provider shown in Fig. 49 and a view of the flow 
of the data transferred with the EMD service center. 
[0161] Figure 55 is a view for explaining the format of 
a price tag registration request use module transmitted 
from the service provider to the EMD service center. 
[0162] Figure 56 is a functional block diagram of the 
EMD service center shown in Fig. 49 and a view of the 
flow of the data related to the data transferred with the 
service provider. 

[0163] Figure 57 is a functional block diagram of the 
EMD service center shown in Fig. 49 and a view of the 
flow of the data related to the data transferred with the 

content provider. 

[0164] Figure 58 is a functional block diagram of the 
EMD service center shown in Fig. 49 and a view of the 
flow of the data related to the data transferred with the 
SAM. 

[0165] Figure 59 is a view for explaining the content 
of a usage log data. 

[01 66] Figure 60 is a flowchart of processing when the 
EMD service center receives a request for issuance of 
public key certificate data from the service provider in 
the second embodiment. 

[01 67] Figure 61 is a flowchart of processing when the 

EMD service center receives a request for registration 
of price tag data from the service provider in the second 
embodiment. 

[01 68] Figure 62 is a flowchart of processing when the 
EMD service center performs settlement in the second 
embodiment. 

[0169] Figure 63 is a view of the configuration of the 
network apparatus shown in Fig. 49. 
[0170] Figure 64 is afunctional block diagram of a CA 

module shown in Fig. 63. 

[0171] Figure 65 is a functional block diagram of the 
SAM shown in Fig. 63 and a view of the flow of the data 
from the input of the secure container to the decryption 

of the same. 

[0172] Figure 66 is a view for explaining the data 
stored in the storage unit shown in Fig. 65. 
[0173] Figure 67 is a functional block diagram of the 
SAM shown in Fig. 63 and a view of the flow of the data 
when determining the purchase and/or usage mode of 
the content etc. 
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[0174] Figure 68 is a flowcliart of processing of tine 
SAM wlien inputting a secure container from the service 
provider and decrypting tlie key file in tine secure con- 
tainer in the second embodiment. 
[0175] Figure 69 is a flowchart of processing of the 
SAIVI up to the determination of the purchase mode of 
the secure container downloaded in the download mem- 
ory from the service provider in the second embodiment. 
[0176] Figure 70 is a flowchart of processing when re- 
producing content data having the purchase mode al- 
ready determined stored in the download memory. 
[0177] Figure 71 is a view for explaining the mode of 
the key file after the purchase mode is determined. 
[0178] Figure 72 is a view for explaining the flow of 
the processing in the SAM of the source of transfer when 
transferring the content file having the purchase mode 
already determined downloaded in the download mem- 
ory of the network apparatus shown in Fig. 63 to the 
SAM of the AV apparatus. 

[01 79] Figure 73 is a view of the flow of the data in the 
SAM of the source of transfer in the case shown in Fig. 
72. 

[0180] Figure 74 is a flowchart of processing of the 
SAM of the source of transfer in a case when transfer- 
ring for example the content file having the purchase 
mode already determined downloaded in the download 
memory of the network apparatus to the SAM of the AV 
apparatus as shown in Fig. 72. 

[0181] Figure 75 is a view for explaining the format of 
the secure container having the purchase mode already 
determined to be transferred to the SAM of the AV ap- 
paratus from the SAM of the network apparatus. 
[01 82] Figure 76 is a view of the flow of the data in the 
SAM of the destination of transfer in the case shown in 
Fig. 72. 

[0183] Figure 77 is a flowchart of the processing of 
the SAM when writing a content file input from the other 
SAM etc. into a storage medium of the RAM type etc. 
as shown in Fig. 72. 

[0184] Figure 78 is a flowchart of the overall operation 

of the EMD system shown in Fig. 49. 

[01 85] Figure 79 is a flowchart of the overall operation 

of the EMD system shown in Fig. 49. 

[0186] Figure 80 is a view of the configuration of an 

EMD system using two service providers according to a 

first modification of the second embodiment of the 

present invention. 

[0187] Figure 81 is a view of the configuration of an 
EMD system using a plurality of content providers ac- 
cording to a second modification of the second embod- 
iment of the present invention. 

[0188] Figure 82 is a view of the configuration of an 
EMD system according to a third modification of the sec- 
ond embodiment of the present invention. 
[0189] Figure 83 is a view of the configuration of an 
EMD system according to a fourth modification of the 
second embodiment of the present invention. 
[0190] Figure 84 is a view for explaining the mode of 



a route of acquisition of public key certificate data. 
[0191] Figure 85 is a view for explaining processing 
for invalidating public key certificate data of the content 
provider. 

5 [0192] Figure 86 is a view for explaining processing 
for invalidating public key certificate data of the service 
provider. 

[0193] Figure 87 is a view for explaining processing 
for invalidating public key certificate data of a SAM. 
10 [0194] Figure 88 is a view for explaining other 
processing for invalidating public key certificate data of 
a SAM. 

[0195] Figure 89 is a view for explaining a case where 
a right management clearing house and an electronic 

^5 settlement clearing house are provided in place of the 
EMD service center in the EMD system shown in Fig. 49. 
[0196] Figure 90 is a view of the configuration of an 
EMD system when providing the right management 
clearing house and the electronic settlement clearing 

20 house shown in Fig. 89 in a single EMD service center. 
[0197] Figure 91 is a view of the configuration of an 
EMD system where the service provider directly per- 
forms settlement at the electronic settlement clearing 
house. 

25 [0198] Figure 92 is a view of the configuration of an 

EMD system where the content provider directly per- 
forms the settlement at the electronic settlement clear- 
ing house. 

[01 99] Figure 93 is a view for explaining the format of 
30 the secure container provided from the content provider 
to the service provider shown in Fig. 49 in an eighth 
modification of the second embodiment of the present 
invention. 

[0200] Figure 94 is a view for explaining a detailed for- 
35 mat of a module stored in Fig. 93. 

[0201] Figure 95 is a view for explaining the format of 
the secure container provided from the service provider 
to the SAM shown in Fig. 49 in the eighth modification 
of the second embodiment of the present invention. 
40 [0202] Figure 96 is a conceptual view of a case where 
the secure container is provided by using the Internet. 
[0203] Figure 97 is another conceptual view of the 
case where the secure container is provided by using 
the Internet. 

45 [0204] Figure 98 is a conceptual view of a case where 
the secure container is provided by using a digital broad- 
cast. 

[0205] Figure 99 is another conceptual view of the 
case where the secure container is provided by using a 
50 digital broadcast. 

[0206] Figure 100 is a view of the configuration of a 
conventional EMD system. 

BEST MODE FOR WORKING THE INVENTION 

55 

[0207] Below, an explanation will be made of an EMD 
(electronic music distribution) system according to em- 
bodiments of the present invention. 
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[0208] In the present embodiment, the content data 
distributed to the user means digital data wherein the 
information per se has value such as music data, video 
data, and a program. The explanation will be made be- 
low by taking as an example music data. 

First Embodiment 

[0209] Figure 1 is a view of the configuration of an 
EMD system 1 00 of the present embodiment. 
[0210] As shown in Fig. 1, the EMD system 100 has 
a content provider 1 01 , an EMD service center (clearing 
house, below, also described as "ESC") 1 02, and a user 
home network 103. 

[0211] Here, the content provider 101, EMD service 
center 1 02, and SAMs 1 05^ to 1 064 correspond to the 
data providing apparatus, management apparatus, and 
data processing apparatuses of the present invention. 
[0212] First, a brief explanation will be made of the 
EMD system 100. 

[0213] In the EMD system 100, the content provider 
101 transmits usage control policy (UCP) data 106 indi- 
cating the content of the right such as license conditions 
of content data C of the content which it is to provide to 
the EM D service center 1 02 as a high reliability authority 
manager. The usage control policy data 106 is author- 
ized (certified) by the EMD service center 102. 
[0214] Further, the content provider 1 01 encrypts the 
content data C by content key data Kc to generate a 
content file CF and, at the same time, encrypts the con- 
tent key data Kc by distribution key data KD^ to KDSg of 
a corresponding period distributed from the EMD serv- 
ice center 102. Then, the content provider 101 distrib- 
utes a secure container (module of the present inven- 
tion) 104 storing (encapsulating) the encrypted content 
key data Kc and content file CF and its own signature 
data to the user home network 1 03 by using a network 
such as the Internet, digital broadcasting, and storage 
medium. 

[0215] In this way, in the present embodiment, by en- 
capsulating and providing the digital content data C, the 
digital content which had been closely tied to a conven- 
tional storage medium is separated from the storage 
medium, thus value can be imparted to the digital con- 
tent by itself. 

[0216] Here, the "secure container" is the product 

capsule forming the most basic unit when selling the 
content data C (product) no matter which distribution 
route (distribution channel) it is provided through. Spe- 
cifically, the secure container is a product capsule con- 
taining the encryption information for the charging, sig- 
nature data for verifying the legitimacy of the content of 
the content data C, the legitimacy of the party preparing 
the content data, and the legitimacy of the distributor of 
the content data, and the information relating to the cop- 
yright such as the information concerning the electronic 
watermark information buried in the content data. 
[0217] The user home network 103 has for example 



a network apparatus 1 60-, and AV apparatuses 1 6O2 to 
I6O4. 

[0218] The network apparatus 160^ includes a SAM 
(secure application module) 105^. 

5 [0219] The AV apparatuses 1 6O2 to 1 6O4 include the 
SAMs 1062 to 1064. The SAMs 105-, to 1064 are con- 
nected to each other via a bus 1 91 , for example, an I EEE 
(Institute of Electrical and Electronics Engineers) 1394 
serial interface bus. 

10 [0220] The SAMs 105^ to 1064 decrypt the secure 
container 1 04 received by the network apparatus 1 60^ 
from the content provider 1 01 via the network or the like 
on-line and/or the secure container 104 received from 
the content provider 1 01 at the AV apparatuses 1 6O2 to 

15 1 6O4 via storage media off-line by using the distribution 
key data KD^ to KD3 of the corresponding period and 
then verify the signature data. 

[0221] The secure container 104 supplied to the 
SAMs 1 05^ to 1 064 is reproduced or stored to a storage 
20 medium after the purchase and/or usage mode is deter- 
mined in accordance with the operation of the user in 
the network apparatus 160^ and the AV apparatuses 
I6O2 to I6O4. 

[0222] The SAM 105^ to 1064 store logs of the pur- 
25 chase and/or usage of the secure container 104 men- 
tioned above as usage log data 108. 
[0223] The usage log data 1 08 is transmitted from the 
user home network 103 to the EMD service center 102 
in response to for example a request from the EM D serv- 
30 ice center 102. 

[0224] The EMD service center 1 02 determines (cal- 
culates) the charged content based on the usage log 
data 1 08 and performs settlement at a settlement organ- 
ization 91 such as a bank via a payment gateway 90. 
35 By this, the money paid by a user of the user home net- 
work 1 03 to the settlement organization 91 is paid to the 
content provider 101 by the settlement processing by 
the EMD service center 102. 

[0225] Further, the EMD service center 1 02 transmits 
40 a settlement report data 1 07 to the content provider 1 01 
every predetermined period. 

[0226] In the present embodiment, the EMD service 
center 102 has a certificate authority function, a key data 
management function, and a right clearing (profit distri- 

45 bution) function. 

[0227] Namely, the EM D service center 1 02 plays the 
role as a second certificate authority with respect to a 
route certificate authority 92 constituting the highest au- 
thority manager at a neutral position (located below the 

50 route certificate authority 92) and certifies the legitimacy 
of the related public key data by attaching a signature 
using the secret key data of the EM D service center 1 02 
to public key certificate data of public key data used for 
the verification processing of the signature data in the 

55 content provider 101 and the SAMs 105^ to 1064. Fur- 
ther, as mentioned before, one of the certificate authority 
functions of the EMD service center 1 02 is for the EMD 
service center 102 to register and authorize the usage 
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control policy data 1 06 of the content provider 1 01 . 
[0228] Further, the ElVID service center 1 02 has a l^ey 
data management function for managing the key data, 
for example, the distribution key data KD^ to KDg. 
[0229] Further, the EM D service center 1 02 has a right 
clearing (profit distribution) function of performing set- 
tlement with respect to the purchase and/or usage of 
content by a user based on a suggested retailer's price 
(SRP) described in the authorized usage control policy 
data 106 and the usage log data 108 input from the 
SAMs 105^ to 1054 and distributing the money paid by 
the user to the content provider 1 01 . 
[0230] Below, a detailed explanation will be made of 
components of the content provider 101. 

[Content Provider 101] 

[0231] Figure 2 is a functional block diagram of the 
content provider 1 01 and shows the flow of the data re- 
lated to the data transferred with the SAMs 1 05^ to 1 054 
of the user home network 103. 

[0232] Further, in Fig. 3, the flow of the data related 
to the data transferred between the content provider 1 01 
and the EMD service center 102 is shown. 
[0233] Note that, in the figures starting from Fig. 3, the 
flow of the data input and output to and from the signa- 
ture data processor and the encryptor/decryptor using 
session key data Kg^g omitted. 
[0234] As shown in Fig. 2 and Fig. 3, the content pro- 
vider 101 has a content master source server 111, an 
electronic watermark information adder 1 1 2, a compres- 
sor 113, an encryptor 114, a random number generator 
1 1 5, an encryptor 1 1 6, a signature processor 1 1 7, a se- 
cure container generator 118, a secure container data- 
base 118a, a storage unit 119, a mutual authenticator 
120, an encryptor/decryptor 121 , a usage control policy 
data generator 122, a SAM manager 124, and an EMD 
service center manager 125. 

[0235] The content provider 101 registers for example 
public key data generated by itself and its own ID card 
and bank account number (account number for settle- 
ment) in the EM D service center 1 02 off-line before com- 
municating with the EMD service center 102 and ac- 
quires its own identifier (identification number) CP_ID. 
Further, the content provider 1 01 receives public key da- 
ta of the EMD service center 1 02 and public key data of 
the route certificate authority 92 from the EMD service 
center 102. 

[0236] Below, an explanation will be made of function- 
al blocks of the content provider 1 01 shown in Fig. 2 and 
Fig. 3. 

[0237] The content master server 1 1 1 stores the con- 
tent data of the master source of content to be provided 
to the user home network 1 03 and outputs content data 
S111 to be provided to the electronic watermark infor- 
mation adder 112. 

[0238] The electronic watermark information adder 
112 buries a source watermark Ws, a copy control wa- 



termark Wc, a user watermark Wu, etc. in the content 
data S1 11 to generate content data S112 and outputs 
the content data S1 12 to the compressor 113. 
[0239] The source watermark Ws is information con- 

5 cerning the copyright such as the name of the owner of 
the copyright of the content data, ISRC code, authoring 
date, authoring apparatus ID (identification data), and 
destination of the distribution of the content. The copy 
control watermark Wc is information containing a copy 

10 prohibit bit for preventing copying through an analog in- 
terface. The user watermark Wu contains for example 
the identifier CP_ID of the content provider 1 01 for spec- 
ifying a source of distribution and a destination of distri- 
bution of the secure container 104 and identifiers 

15 SAM_IDi to SAM_ID4 of the SAMs 105^ to IO54 of the 
user home network 103. 

[0240] Further, the electronic watermark information 
adder 1 1 2 buries the link use ID for searching of the con- 
tent data by a search engine as electronic watermark 
20 information in the content data S11 1 if necessary. 

[0241] In the present embodiment, preferably the in- 
formation content and the burial position of each elec- 
tronic watermark information are defined as the elec- 
tronic watermark information management data. The 
25 electronic watermark information management data is 
managed in the EMD service center 1 02. The electronic 
watermark information management data is used when 
for example the network apparatus 1 60-, and the AV ap- 
paratuses 1 6O2 to 1 6O4 in the user home network 1 03 
30 verify the legitimacy of the electronic watermark infor- 
mation. 

[0242] For example, in the user home network 103, 
based on the electronic watermark information manage- 
ment data, the burying of a false electronic watermark 
35 information can be detected with a high probability by 
deciding that the electronic watermark information is le- 
gitimate when both of the burial position of the electronic 
watermark information and the content of the buried 
electronic watermark information coincide. 
40 [0243] The compressor 113 compresses the content 
data S1 12 by an audio compression method such as 
ATRAC3 (Adaptive Transform Acoustic Coding 3) 
(trademark) and outputs compressed content data S1 1 3 
to the encryptor 114. 
45 [0244] The encryptor 114 uses the content key data 
Kc as a common key, encrypts the content data S1 13 
by a common key encryption method such as DES (Data 
Encryption Standard) or Triple DES to generate the con- 
tent data C and outputs this to the secure container gen- 
50 eratorllS. 

[0245] Further, the encryptor 114 encrypts AA/ de- 
compression software Soft and meta-data Meta by us- 
ing the content key data Kc as the common key, then 
outputs the same to the secu re container generator 1 1 7. 
55 [0246] DES is an encryption method for processing 
64 bits of a plain text as a block by using a 56-bit com- 
mon key. The DES processing is comprised by a portion 
for scrambling the plain text to transform the same to 
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encrypted text (data scrambler) and a portion for creat- 
ing key (magnification Wey) data used in the data scram- 
bler from the common key data (key processor). All al- 
gorithms of DES are disclosed, so the fundamental 
processing of the data scrambler will be briefly ex- 5 
plained here. 

[0247] First, 64 bits of the plain text are divided into 
an upper significant 32-bit Hq and a lower significant 
32-bit Lq. Using as input the 48-bit magnification key da- 
ta supplied from the key processor and the lower sig- io 
nificant 32-bit Lq, the output of an F function obtained 
by scrambling the lower significant 32-bit Lq is calculat- 
ed. The F function is comprised by two types of basic 
transformations of "substitution" for replacing the nu- 
merals by a predetermined rule and "transposition" for ^5 
switching the bit positions by a predetermined rule. 
Next, an exclusive OR of the upper significant 32-bit Hq 
and the output of the F function is calculated, and the 
result thereof is made L^. Further, Lq is made H^. 
[0248] Then, based on the upper significant 32-bit Hq 
and the lower significant 32-bit Lq, the above processing 
is repeated 16 times. The thus obtained upper signifi- 
cant 32-bit H-|g and lower significant 32-bit L-iq are output 
as the encrypted text. The decryption is realized by per- 
forming the above procedure in the reverse direction by 25 
using the common key data used in the encryption. 
[0249] The random number generator 1 1 5 generates 
a random number of predetermined number of bits and 
outputs the related random number as the content key 
data Kc to the encryptor 1 1 4 and the encryptor 116. 30 
[0250] Note that it is also possible to generate the con- 
tent key data Kc from the information concerning the 
music provided by the content data. The content key da- 
ta Kc is updated for example every predetermined time. 
[0251] The encryptor 116 receives as its inputs the 35 
distribution key data KD^ to KDg of the corresponding 
period among the distribution key data KD^ to KDg re- 
ceived from the ElVID service center 102 and stored in 
the storage unit 1 1 9 as will be mentioned later, encrypts 
the content key data Kc, usage control policy data 1 06, 40 
SAM program download containers SDC-, to SDCg, and 
a signature certificate module IVIod^ shown in Fig. 4B by 
the DES or other common encryption method using the 
related distribution key data as a common key, then out- 
puts them to the secure container generator 117. ^5 
[0252] In the signature certificate module IVIod^, as 
shown in Fig. 4B, signature data SIG2 cp to SIG4 Qp, a 
public key certificate CERqp of public key data Kqp p of 
the content provider 101 and signature data SIG-|^3q 
of the ElVI D service center 1 02 with respect to the related 50 
certificate CERqp are stored. 

[0253] Further, the SAM program download contain- 
ers SDC^ to SDC3 store download drivers used when 
downloading programs in the SAMs 105^ to 1064, a 
UCP-L (Label) R (Reader) indicating the syntax (gram- 55 
mar) of a usage control policy data (UCP) U106, and 
lock key data for locking or unlocking rewrite and erase 
operations of the storage units (flash ROMs) built in the 



SAMs 105-, to 1054 in units of blocks. 
[0254] Note that the storage unit 1 1 9 is provided with 
various databases, for example, a database for storing 
public key certificate data, a database for storing distri- 
bution use data KD-, to KDg, and a database for storing 
the key file KR 

[0255] The signature processor 1 1 7 takes a hush val- 
ue of the data to be signed and generates the signature 
data SIG thereof by using the secret key data Kqpq of 
the content provider 1 01 . 

[0256] Note that the "hush value" is generated by us- 
ing the hush function. The hush function is a function for 
receiving as the input the data covered, compressing 
the related input data to data having a predetermined 
bit length, and outputting the same as a hush value. The 
hush function is characterized in that it is difficult to pre- 
dict the input from the hush value (output), many bits of 
the hush value change when one bit of the data input to 
the hush function changes, and it is difficult to find input 
data having an identical hush value. 
[0257] The secure container generator 1 1 8, as shown 
in Fig. 4A, generates the content file CF storing header 
data and the content data C, A/V decompression soft- 
ware Soft, and meta-data Meta input from the encryptor 
1 1 4 and encrypted by the content key data Kc. 
[0258] Here, the A/V decompression software Soft is 
the software used when decompressing the content file 
CF in the network apparatus 160-, and the AV appara- 
tuses I6O2 to I6O4 in the user home network 103 and 
is for example an ATRAC3 type decompression soft- 
ware. 

[0259] Further, the secure container generator 118 
generates a key file KF storing, as shown in Fig. 4B, the 
content key data Kc, usage control policy data (UCP) 
1 06, SAM program download containers SDC-, to SDC3, 
and the signature certificate module Mod^ encrypted by 
the distribution key data KD-, to KDg of the correspond- 
ing period input from the encryptor 116. 
[0260] Then, the secure container generator 1 1 8 gen- 
erates a secure container 1 04 storing the content file CF 
and the key file KF shown in Figs. 4A and 4B and the 
public key data Kqp and the signature data SIG^ ^gc 
the content provider 101 shown in Fig. 4C, stores this 
in a secure container database 118a, and then outputs 
the same to the SAM manager 124 in response to a re- 
quest from the user. 

[0261] In this way, in the present embodiment, an in- 
band method storing the public key certificate CERqp of 
the public key data Kqp p of the content provider 101 in 
a secure container 104 and transmitting it to the user 
home network 103 is employed. Accordingly, it is not 
necessary for the user home network 1 03 to communi- 
cate with the EMD service center 102 for obtaining the 
public key certificate CERqp. 

[0262] Note that, in the present invention, it is also 
possible to employ an out-of-band method where the us- 
er home network 103 obtains the public key certificate 
CERqp from the EM D service center 1 02 without storing 



20 



39 



EP 1 120 715 A1 



40 



the public key certificate CERqp in tine secure container 
104. 

[0263] The mutual authenticator 120 generates ses- 
sion key data (common key) Kqes mutual authenti- 
cation between the EMD service center 1 02 and the us- 
er home network 103 when the content provider 101 
transfer data on-line between the EMD service center 
102 and the user home network 103. The session key 
data KsEs newly generated at each mutual authenti- 
cation. 

[0264] The encryptor/decryptor 1 21 encrypts the data 
to be transmitted by the content provider 101 to the EMD 
service center 102 and the user home network 103 on- 
line by using the session key data Kq^q. 
[0265] Further, the encryptor/decryptor 121 decrypts 
the data received by the content provider 101 from the 
EMD service center 1 02 and the user home network 1 03 
on-line by using the session key data Kq^q. 
[0266] The usage control policy data generator 122 
generates the usage control policy data 1 06 and outputs 
this to the encryptor 116. 

[0267] The usage control policy data 1 06 is a descrip- 
tor defining the operation rules of the content data C and 
describes for example the suggested retailer's price 
SRP intended by the operator of the content provider 
1 01 and the copying rules of the content data C therein. 
[0268] The SAM manager 124 supplies the secure 
container 1 04 to the user home network 1 03 off-line and/ 
or on-line. 

[0269] The SAM manager 124 encrypts the secure 

container 104 by using the distribution key data KD-, to 
KDg etc. and stores the same on a storage medium 
when distributing the secure container 104 to the user 
home network 1 03 off-line by using a ROM type storage 
medium such as a CD-ROM or DVD (digital versatile 
disc). Then, this storage medium is supplied to the user 
home network 1 03 off-line by sale or the like. 
[0270] In the present embodiment, the secure con- 
tainer (product capsule) 104 is defined by the applica- 
tion layer in the OSI layer as shown in Fig. 5. Further, 
capsules corresponding to the presentation layer and 
the transport layer are separately defined from the se- 
cure container 1 04 as transport protocol for transporting 
the secure container. Accordingly, the secure container 
104 can be defined without depending on the transport 
protocol. Namely, no matter what the mode, that is, on- 
line or off-line, of supplying the secure container 1 04 to 
the user home network 103, the container can be de- 
fined and generated according to a common rule. 
[0271] For example, when supplying the secure con- 
tainer 104 by using the network, the secure container 
104 is defined in a region of the content provider 101, 
and the presentation layer and the transport layer are 
considered as transport tools for transporting the secure 
container 104 to the user home network 103. 
[0272] Further, in the off-line case, a ROM type stor- 
age medium is considered as a transport carrier for 
transporting the secure container 1 04 to the user home 



network 103. 

[0273] Figure 6 is a view for explaining a storage me- 
dium 130. 

[0274] As shown In Fig. 6, each of the ROM type stor- 
5 age media 130 has a ROM region 131, a RAM region 
132, and a media SAM 133. 

[0275] The ROM region 1 31 stores the content file CF 
shown in Fig. 4A. 

[0276] Further, the RAM region 132 stores signature 
10 data generated by using a MAC (message authentica- 
tion code) function using as arguments the key file KF 
and public key certificate data CERqp shown in Fig. 4B 
and Fig. 4C and storage key data Ksjr having an inher- 
ent value in accordance with the type of the apparatus 
15 and data obtained by encrypting the related key file KF 
and public key certificate data CERqp by using media 
key data K^^i^d having a value inherent in the storage 
media. 

[0277] Further, the RAM region 132 stores a public 
20 key certificate revocation list for specifying the content 
provider 101 and SAMs 105^ to 1065 which became 
invalid due to for example an illegal action. 
[0278] Further the RAM region 132, as will be men- 
tioned later, stores usage control status (DCS) data 1 66 
25 generated when the purchase and/or usage mode of the 
content data C are determined in the SAMs 1 05-, to 1 064 
of the user home network 1 03 etc. By this, by the storage 
of the usage control status data 166 in the RAM region 
1 32, the ROM type storage medium 1 30 having the pur- 
30 chase and/or usage mode determined therein is ob- 
tained. 

[0279] The media SAM 133, for example, stores the 
media ID as the identifier of the ROM type storage me- 
dium 130 and the media key data Ky^D. 
35 [0280] The media SAM 1 33 has for example a mutual 
authentication function. 

[0281] Further, the SAM manager 124 encrypts the 
secure container 104 in the encryptor/decryptor 121 by 
using the session key data Kq^q and then distributes the 
40 same via the network to the user home network 103 
when distributing the secure container 104 to the user 
home network 103 on-line by using a network, digital 
broadcast, or the like. 

[0282] In the present embodiment, as the SAM man- 
45 ager, EMD service center manager, and a content pro- 
vider manager and a service provider manager men- 
tioned later, use is made of for example a communica- 
tion gateway having a tamper resistant structure making 
it difficult to monitor and tamper the internal processing 
50 content. 

[0283] Here, for the distribution of the content data C 
from the content provider 1 01 to the user home network 
1 03, use is made of the secure container 1 04 of the com- 
mon mode storing the usage control policy data 1 06 in 
55 both of the case of distribution using a storage medium 
1 30 as mentioned above and the case of distribution on- 
line by using a network. Accordingly, in the SAMs 105^ 
to 1 064 of the user home network 1 03, in both of the off- 
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line and on-line cases, right clearing based on the com- 
mon usage control policy data 1 06 is possible. 
[0284] Further, as mentioned above, in the present 
embodiment, the in-band method of enclosing the con- 
tent data C encrypted by the content key data Kc and 5 
the content key data Kc for decrypting the related en- 
cryption in the secure container 104 is employed. In the 
in-band method, there is the advantage that it is not nec- 
essary to separately distribute the content key data Kc 
and the load of network communication can be reduced io 
when it is desired to reproduce the content data C at an 
apparatus of the user home network 103. Further, the 
content key data Kc is encrypted by the distribution key 
data KD^ to KDq, but the distribution use public key data 
KD-i to KDg are managed by the EMD service center 15 
1 02 and have been distributed to the SAMs 1 05^ to 1 055 
of the user home network 103 in advance (when the 
SAMs 105-1 to 1054 access to the EMD service center 
102 the first time), therefore, in the user home network 
103, the usage of the content data C off-line becomes 20 
possible without connecting with the EMD service cent- 
er 102 on-line. 

[0285] Note that, the present invention has the flexi- 
bility of enabling use of the out-of-band method of sep- 
arately supplying the content data C and the content key 25 
data Kc to the user home network 1 03. 
[0286] When receiving six months' worth of the distri- 
bution key data KD^ to KDg and the corresponding sig- 
nature data SIGkdi,esc ^'^kd6,esC' public key 
certificate CERqp containing the public key data Kqpp 3o 
of the content provider 101 and the signature data 
SIG^ ESC thereof, and the settlement report data 107 
from the EMD service center 1 02, the EMD service cent- 
er manager 125 decrypts them in the encryptor/decryp- 
tor 121 by using the session key data Kg^g' then 35 
stores them in the storage unit 1 1 9. 
[0287] The settlement report data 1 07 describes, for 
example, the content of the settlement concerning the 
content provider 101 performed with respect to the set- 
tlement organization 91 shown in Fig. 1 by the EMD 40 
service center 1 02. 

[0288] Further, the EMD service center manager 125 
transmits a global unique identifier ContentJD of the 
content data C to be provided, the public key data Kqp p, 
and their signature data SIG3 Qp to the EMD service 45 
center 1 02 and receives as its input public key certificate 
data CERqp of public key data Kqp p from the EMD serv- 
ice center 102. 

[0289] Further, the EMD service center manager 125 
generates a module Modg storing the global unique 50 
identifier ContentJD of the content data C to be provid- 
ed, the content key data Kc, and the usage control policy 
data 106 therein and a usage control policy registration 
request use module Mod2 storing signature data 
SIG5 QP thereof as shown in Fig. 7A when registering 55 
the usage control policy data 106 in the EMD service 
center 102, encrypts them in the encryptor/decryptor 
1 21 by using the session key data Kqes' ^"^^1 then trans- 



mits the same via the network to the EMD service center 
1 02. As the EMD service center manager 1 25, as men- 
tioned before, use is made of for example a communi- 
cation gateway having the tamper resistant structure 
making it difficult to monitor and tamper with the internal 
processing content. 

[0290] Below, an explanation will be made of the flow 
of the processing in the content provider 1 01 by referring 
to Fig. 2 and Fig. 3. 

[0291] Note that, as a prerequisite of the following 
processing, a related party of the content provider 101 
performs processing for registration at the EMD service 
center 1 02 off-line by using for example its own ID card 
and bank account for the settlement processing and ob- 
tains aglobal unique identifier CP_ID. The global unique 
identifier CPJD is stored in the storage unit 119. 
[0292] Below, an explanation will be made of the 
processing when the content provider 101 requests 
public key certificate data CERqp for certifying the legit- 
imacy of the public key data Kqps corresponding to its 
own secret key data Kqps to the EMD service center 
102 by referring to Fig. 3 and Fig. 8. 
[0293] Figure 8 is a flowchart of the related process- 
ing. 

[0294] Step SA1 : The content provider 1 01 generates 

a random number by using a random number generator 
115 configured by for example a true random number 
generator and generates the secret key data Kqps- 
[0295] Step SA2: The content provider 1 01 generates 
public key data Kqp p corresponding to the secret key 
data Kqp s and stores the same in the storage unit 1 1 9. 
[0296] Step SA3: The EMD service center manager 
125 of the content provider 101 reads the identifier 
CPJD of the content provider 101 and the public key 
data Kqp p from the storage unit 1 1 9. 
[0297] Then, the EMD service center manager 125 
transmits a public key certificate data issuance request 
containing the identifier CPJD and the public key data 
Kqpp to the EMD service center 102. 
[0298] Step SA4: The EMD service center manager 
125 receives as its inputs the public key certificate data 
CERqp and signature data SIG^ ^sc thereof from the 
EMD service center 1 02 in response to the related issu- 
ance request and writes the same into the storage unit 
119. 

[0299] Below, an explanation will be made of the 

processing for receiving the distribution key data from 
the EMD service center 1 02 by the content provider 101 
by referring to Fig. 3. 

[0300] Note that, as the prerequisite for the following 
processing, the content provider 101 must have already 
obtained the public key certificate data CERqp from the 
EMD service center 102. 

[0301] The EMD service center manager 125 re- 
ceives as its inputs six months' worth of the distribution 
key data KD-, to KD ^ and their signature data 

2'^KDi,EScto SIG^^DQ ESC thereof from the EMD service 
center 102 and stores them in a predetermined data- 



22 



43 



EP 1 120 715 A1 



44 



base in the storage unit 119. 

[0302] Then, in the signature processor 1 1 7, after the 
legitimacy of the signature data SIG^dlesc 
^'^KD6,ESC stored in the storage unit 119 is confirmed, 
the distribution key data KD^ to KDg stored in the stor- 
age unit 119 are handled as valid data. 
[0303] Below, an explanation will be made of the 
processing when the content provider 1 01 transmits the 
secure container 1 04 to the SAM 1 05^ of the user home 
network 103 referring to Fig. 2 and Fig. 9. 
[0304] Figure 9 is a flowchart of the related process- 
ing. 

[0305] Note that, in the following example, the case 
of transmitting the secure container 104 from the con- 
tent provider 101 to the SAIVI 105-, is illustrated, but the 
same applies also to the case of transmitting the secure 
container 104 to the SAMs 1052 "'^^4 except it is 
transmitted to the SAMs 1 062 to 1 054 via the SAM 1 05^ . 
[0306] Step SB1 : Content data S1 1 1 is read from the 
content master source server 1 1 1 and output to the elec- 
tronic watermark information adder 112. 
[0307] The electronic watermark information adder 
112 buries the electronic watermark information in the 
content data S1 11 to generate content data S1 12 and 
outputs this to the compressor 113. 
[0308] Step SB2: The compressor 113 compresses 
the content data S1 12 by for example the ATRAC3 
method to generate content data S113 and outputs this 
to the encryptor 114. 

[0309] Step SB3: The random number generator 1 1 5 

generates a random number to generate the content key 
data Kc and outputs this to the encryptor 114. 
[031 0] Step SB4: The encryptor 1 1 4 encrypts the con- 
tent data S1 1 3 and the meta-data Meta and A/V decom- 
pression software Soft read from the storage unit 119 
by using the content key data Kc and outputs the same 
to the secure container generator 118. In this case, the 
meta-data Meta does not have to be encrypted. 
[031 1] Then, the secure container generator 1 1 8 gen- 
erates the content file CF shown in Fig. 4A. Also, in the 
signature processor 117, the hush value of the content 
file CF is taken, and the signature data SIGg cp is gen- 
erated by using the secret key data Kqps- 
[0312] Step SB5: The signature processor 117 takes 
the hush value with respect to each of the content data 
C, content key data Kc, and the usage control policy da- 
ta 106 and generates the signature data SIG2CP' 
SIG3 Qp, and SIG4 QP indicating the legitimacy of the 
creator (provider) of the data by using the secret key 
data Kqps- 

[031 3] Further, the encryptor 1 1 6 encrypts the content 
key data Kc, usage control policy data 106, SAM pro- 
gram download containers SD^ to SD3, and signature 
certificate module Mod^ shown in Fig. 4B by the distri- 
bution key data KD^ to KDg of the corresponding period 
and outputs the same to the secure container generator 
118. 

[0314] Then, the secure container generator 11 8 gen- 



erates the key file KF shown in Fig. 4B. 
[0315] Further, the signature processor 117 takes the 
hush value of the key file KF and generates the signa- 
ture data SIG7 QP by using the secret key data Kqp 3. 

5 [0316] Step SB6: The secure container generator 118 
generates the secure container 104 storing the content 
file CF and the signature data SIGq cp thereof shown in 
Fig. 4A, the key file KF and the signature data SIG7 qp 
thereof shown in Fig. 4B, and the public key certificate 

10 data CERqp and the signature data SIG^^qq thereof 
shown in Fig. 4C therein and stores this in the secure 
container database 1 1 8a. 

[0317] Step SB7: The secure container generator 118 
reads the secure container 104 to be provided to the 

15 user home network 103 in response to for example a 
request from the user from the secure container data- 
base 118a, encrypts the same in the encryptor/decryp- 
tor 121 by using the session key data Kqes obtained by 
the mutual authentication between the mutual authenti- 

20 cator 120 and the SAM 105^, and then transmits the 
same to the SAM 105^ of the user home network 103 
via the SAM manager 124. 

[0318] Below, an explanation will be made of the 
processing in the case where the content provider 101 

25 requests to the EMD service center 1 02 to register and 
authorize the usage control policy data 1 06 and the con- 
tent key data Kc by referring to Fig. 3. 
[0319] The processing for requesting authorization of 
the usage control policy data 106 and the content key 

30 data Kc is carried out for every content data C. 

[0320] In this case, the signature processor 1 1 7 finds 
the hush value of the module Modg comprised by the 
global unique identifier ContentJD of the content data 
C and the content key data Kc read from the storage 

35 unit 1 1 9 and the usage control policy data 1 06 input from 
the usage control policy data generator 1 22 and gener- 
ates the signature data SIG5 Qp by using the secret key 
data Kqp 5- 

[0321] Then, it encrypts the right registration request 

40 use module Mod2 shown in Fig. 7A in the encryptor/de- 
cryptor 121 by using the session key data KsEsO'^^^i'^ecl 
by the mutual authentication between the mutual au- 
thenticator 120 and the EMD service center 102, then 
transmits it from the EMD service center manager 125 

45 to the EMD service center 102. 

[0322] In the present embodiment, the case where the 
content provider 1 01 does not receive the authorization 
certificate module certifying that the content provider 
1 01 is authorized from the EMD service center 1 02 after 

50 the EMD service center 1 02 authorizes the usage con- 
trol policy data 1 06 and the content key data Kc, that is, 
the case where the encryption is carried out in the con- 
tent provider 1 01 by using the distribution key data KD^ 
to KDg to generate the key file KF, is illustrated. 

55 [0323] Note that in the present invention, it is also pos- 
sible to transmit an authorization certificate module 
Mod2a shown in Fig. 7B encrypted by using the distribu- 
tion key data KD^ to KDg from the EMD service center 
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1 02 to the content provider 1 01 after authorization of the 
usage control policy data 1 06 and the content key data 
Kc in the EMD service center 102. 
[0324] The authorization certificate module Mod2a 
stores a module Modg^ storing the global unique identi- 
fier ContentJD of the content data C, content key data 
Kc, and the usage control policy data 1 06 input from the 
usage control policy data generator 122 and signature 
data SIGga ESC of module Modg^ using the secret 
key data K^scs- 

[0325] In this case, the content provider 101 stores 
the authorization certificate module Modga in for exam- 
ple the secure container 1 04 and distributes the same 
to the SAMs 105^ to 1064. 

[0326] Note that, it is also possible that the EM D serv- 
ice center 1 02 generate six months' worth of the author- 
ization certificate module Mod2a encrypted by using the 
distribution key data KD-, to KDg corresponding to dif- 
ferent months and transmit them to the content provider 

101 together. 

[EMD Service Center 102] 

[0327] The EMD service center 102 has a certificate 
authority (CA) function, a key management function, 
and a right clearing (profit distribution) function. 
[0328] Figure 1 0 is a view of the configuration of the 
functions of the EMD service center 1 02. 
[0329] As shown in Fig. 10, the EMD service center 

1 02 has a key server 1 41 , a key database 1 41 a, a set- 
tlement processor 142, a signature processor 143, a 
settlement organization manager 144, a certificate/us- 
age control policy manager 145, a CER database 145a, 
a content provider manager 148, a CP database 148a, 
a SAM manager 149, a SAM database 149a, a mutual 
authenticator 150, and an encryptor/decryptor 151. 
[0330] Note that, in Fig. 10, in the flow of the data 
among the functional blocks in the EMD service center 
102, the flow of the data related to the data transferred 
with the content provider 101 is shown. 

[0331] Further, in Fig. 11, in the flow of the data among 
the functional blocks in the EMD service center 1 02, the 
flow of the data related to the data transferred between 
the SAMs 1 05-1 to 1 054 and the settlement organization 
91 shown in Fig. 1 is shown. 

[0332] The key server 141 reads the distribution key 

data having the term of validity of one month stored in 
the key database 1 41 a in response to a request and out- 
puts the same to the content provider manager 148 and 
the SAM manager 149. 

[0333] Further, it is comprised by a series of the key 
databases for storing the key data such as the storage 
key data Kstr> media key data Ky eq, and MAC key data 
I^MAC other than the key database 1 41 a distribution key 
data KD. 

[0334] The settlement processor 142 performs the 
settlement processing based on the usage log data 1 08 
input from the SAMs 105^ to IO54, suggested retailer' 



price data SRP input from the certificate/usage control 
policy manager 145, and the sale price, generates the 
settlement report data 1 07 and a settlement claim data 
152, outputs the settlement report data 107 to the con- 
5 tent provider manager 148, and outputs the settlement 
claim data 152 to the settlement organization manager 
144. 

[0335] Note that, the settlement processor 142 mon- 
itors whether or not the transaction was conducted by 

an illegal dumping price based on the sale price. 
[0336] Here, the usage log data 1 08 indicates the log 
of the purchase and the usage (reproduction, storing, 
transfer, etc.) of the secure container 104 in the user 
home network 103 and is used when determining the 
payment of the license fee stored to the secure contain- 
er 104 in the settlement processor 142. 
[0337] The usage log data 1 08 describes, for exam- 
ple, the identifier ContentJD of the content data C 
stored in the secure container 104, the identifier CP_ID 
of the content provider 101 distributing the secure con- 
tainer 1 04, the compression method of the content data 
C in the secure container 104, the identifier MediaJD 
of the storage medium storing the secure container 1 04, 
the identifier SAMJD of the SAMs 105^ to IO54 receiv- 
ing the distribution of the secure container 104, the 
USERJD of the related SAMs 105^ to IO54, etc. Ac- 
cordingly, when the EMD service center 102 must dis- 
tribute money paid by the user of the user home network 
1 03 to a party other than the owner of the content pro- 
vider 1 01 , for example, the license owner of for example 
the compression method or the storage medium, the 
EMD service center 1 02 determines the sum to be paid 
to each other party based on a distribution rate table 
determined in advance and generates the settlement re- 
port data 107 and the settlement claim data 152 in ac- 
cordance with the related determination. The related 
distribution rate table is generated for example for every 
content data stored in the secure container 104. 
[0338] Further, the settlement claim data 152 is au- 
thorized data enabling claim of payment of money to the 
settlement organization 91 and is generated for each in- 
dividual owner of a right when for example the money 
paid by the user is distributed to a plurality of owners of 
rights. 

[0339] Note that the settlement organization 91 sends 
a record of use of the related settlement organization to 
the EMD service center 1 02 when the settlement is fin- 
ished. The EMD service center 102 notifies the content 
of the related record of use to the corresponding owner 
of a right. 

[0340] The settlement organization manager 144 

transmits the settlement claim data 152 generated by 
the settlement processor 142 via the payment gateway 
90 shown in Fig. 1 to the settlement organization 91 . 
[0341] Note that, as will be mentioned later, it is also 
possible that the settlement organization manager 144 
transmit the settlement claim data 1 52 to an owner of a 
right such as the content provider 1 01 and that the own- 
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er of the right itself performs the settlement at the set- 
tlement organization 91 by using the received settle- 
ment claim data 152. 

[0342] Further, the settlement organization manager 

144 takes the hush value of the settlement claim data 5 
1 52 in the signature processor 1 43 and transmits signa- 
ture data SIGqs generated by using the secret key data 
Kesc.s together with the settlement claim data 152 to 
the settlement organization 91 . 

[0343] The certificate/usage control policy manager io 

145 reads the public key certificate data CERqp and 
public key certificate data CERqami to CERsam4 ®tc. 
registered and authorized in the CER database 145a 
and, at the same time, registers and authorizes the us- 
age control policy data 1 06 and the content key data Kc 15 
etc. of the content provider 101 in the CER database 
145a. 

[0344] Note that, it is also possible that databases for 
storing the public key certificate data CERs^mi to 
CERsAM4' the usage control policy data 106, and the 20 
content key data Kc be individually provided. 
[0345] At this time, the certificate/usage control policy 
manager 145 takes the hush value of for example the 
usage control policy data 1 06 and the content key data 
Kc and generates the authorized public key certificate 25 
data having the signature data using the secret key data 
K^scs attached thereto. 

[0346] The content provider manager 148 has the 
function of communicating with the content provider 1 01 
and can access the CP database 1 48a for managing the 30 
identifier CPJD etc. of the registered content provider 
101. 

[0347] The SAM manager 149 has the function of 
communicating with the SAMs 105-, to IO54 in the user 
home network 103 and can access the SAM database 35 
149a storing the identifier SAM_ID of the registered 
SAM and the SAM registration list etc. 
[0348] Below, the flow of the processing in the EMD 
service center 102 will be explained. 
[0349] First, the flow of the processing when transmit- 40 
ting the distribution key data from the EMD service cent- 
er 102 to the content provider 101 and the SAMs 105^ 
to 1054 in the user home network 103 will be explained 
while referring to Fig. 10 and Fig. 11. 
[0350] As shown in Fig. 10, the key server 141 reads 45 
for example six months' worth of the distribution key da- 
ta KD^ to KDg from the key database 141a every pre- 
determined period and outputs the same to the content 
provider manager 148. 

[0351 ] Further, the signature processor 1 43 takes the 50 
hush value of each of the distribution key data KD^ to 
KDg, generates the signature data SIG^^q-i^sc to 
SIGkd6,esg corresponding to them, and outputs them to 
the content provider manager 148. 

[0352] The content provider manager 148 encrypts 55 
these six months' worth of the distribution key data KD^ 

to KDg and their signature data SIGj^q-, ^sc to 
SIGkd6,esc using the session key data Kg^s ob- 



tained by the mutual authentication between the mutual 
authenticator 150 and the mutual authenticator 120 
shown in Fig. 3 and then transmits the same to the con- 
tent provider 101. 

[0353] Further, as shown in Fig. 1 1 , the key server 141 
reads for example three months' worth of the distribution 
key data KD^ to KD3 from the key database 141a for 
every predetermined period and outputs the same to the 
SAM manager 149. 

[0354] Further, the signature processor 1 43 takes the 
hush value of each of the distribution key data KD^ to 
KDg, generates the signature data SIG^q^ ^gc to 
SIGkd3,esc corresponding to them by using the secret 
key data K^scsof the EMD service center 102, and out- 
puts them to the SAM manager 149. 
[0355] The SAM manager 149 encrypts these three 
months' worth of the distribution key data KD-, to KD3 
and their signature data SIG^^p-i^sc to SIG^^og^sc 
using the session key data Kq^q obtained by mutual au- 
thentication between the mutual authenticator 150 and 
the SAMs 105^ to 1054 and then transmits the same to 
the SAMs 105i to IO54. 

[0356] Below, an explanation will be made of the 
processing where the EMD service center 102 receives 
a request for issuance of public key certificate data CE R- 
QP from the content provider 101 by referring to Fig. 10 
and Fig. 12. 

[0357] Figure 1 2 is a flowchart of the related process- 
ing. 

[0358] Step SCI : When receiving a request for issu- 
ance of public key certificate data containing the identi- 
fier CPJD of the content provider 101, public key data 
Kcpp, and signature data SIGq cp fi'om the content pro- 
vider 101, the content provider manager 148 decrypts 
them by using the session key data Kg^s obtained by 
mutual authentication between the mutual authenticator 
150 and the mutual authenticator 120 shown in Fig. 3. 
[0359] Step SC2: After confirming the legitimacy of 
the related decrypted signature data SIGg cp ^t the sig- 
nature processor 1 43, it confirms whether or not the con- 
tent provider 101 issuing the related public key certifi- 
cate data issuance request is registered in the CP da- 
tabase 1 48a based on the identifier CPJD and the pub- 
lic key data KQp p. 

[0360] Step SC3: The certificate/usage control policy 
manager 145 reads the public key certificate data CER- 
qp of the related content provider 1 01 from the CER da- 
tabase 145a and outputs the same to the content pro- 
vider manager 148. 

[0361] Step SC4: The signature processor 143 takes 
the hush value of the public key certificate data CERqp, 
generates the signature data SIG-| ^sc using the se- 
cret key data K^scs the EMD service center 1 02, and 
outputs this to the content provider manager 148. 
[0362] Step SC5: The content provider manager 148 
encrypts the public key certificate data CERqp and the 
signature data SIG-, ^sc thereof by using the session 
key data Kqes obtained by the mutual authentication be- 
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tween the mutual authenticator 150 and the mutual au- 
thenticator 120 shown in Fig. 3 and then transmits the 
same to the content provider 1 01 . 
[0363] Below, an explanation will be made of the 
processing where the EMD service center 1 02 receives 5 
a request for issuance of public key certificate data 
CERsAMi fi'om the SAM 105^ by referring to Fig. 11 and 
Fig. 13. 

[0364] Figure 1 3 is a flowchart of the related process- 
ing. 10 
[0365] Step SD1 : When receiving a request for issu- 
ance of public key certificate data containing the identi- 
fier SAM1_ID of the SAM 105^, the public key data 
I^SAMi.P' the signature data SIGqsami ^^^^ the 
SAM 1 05-1 , the SAM manager 1 49 decrypts them by us- 15 
ing the session key data Kg^s obtained by the mutual 
authentication between the mutual authenticator 150 
and the SAM 105^. 

[0366] Step SD2: After confirming the legitimacy of 
the related decrypted signature data SIGs sami ^t the 20 
signature processor 143, it is confirmed whether or not 
the SAM 105^ issuing a request for issuance of the re- 
lated public key certificate data is registered in the SAM 
database 149a based on the identifier SAM1_ID and the 
public key data Kg^Mi ,p- 

[0367] Step SD3: The certificate/usage control policy 
manager 145 reads the public key certificate data 
CERsAMi of the related SAM 1 05^ from the CER data- 
base 145a and outputs the same to the SAM manager 
149. 30 
[0368] Step SD4: The signature processor 143 takes 
the hush value of the public key certificate data 
CERsAMi' 9®"^® ''^tes signature dataSIGgo Esc using 
the secret key data K^sc.s the EMD service center 
102, and outputs this to the SAM manager 149. 35 
[0369] Step SD5: The SAM manager 1 49 encrypts the 
public key certificate data CERqami the signature 
data SIG50 ESC thereof by using the session key data 
K3ES obtained by the mutual authentication between the 
mutual authenticator 150 and the SAM 105-, and then 40 
transmits the same to the SAM 105-,. 
[0370] Note that the processing where the SAMs 1 052 
to 1054 request public key certificate data is basically 
the same as the case of the SAM 1 05^ mentioned above 
except the object is replaced by the SAMs 1 052 to 1 05^. ^5 
[0371] Note that, in the present invention, the EMD 
service center 102 can generate the public key certifi- 
cate data CERgAMi the public key data Kqami p too 
at the time of shipping when for example storing the se- 
cret key data Ksami,s the public key data Ksami,p 
of the SAM 1 05-1 in the storage unit of the SAM 1 05-, at 
the time of shipping of the SAM 1 05-, . 
[0372] At this time, it is also possible to store public 
key certificate data CERqami in the storage unit of the 
SAM 105^ at the time of shipping. 55 
[0373] Below, an explanation will be made of the 
processing where the EMD service center 1 02 receives 
a request for registration of the usage control policy data 
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106 and the content key data Kc from the content pro- 
vider 101 by referring to Fig. 10 and Fig. 14. 
[0374] Figure 1 4 is a flowchart of the related process- 
ing. 

[0375] Step SE1 : When receiving the usage control 
policy registration request module Mod2 shown in Fig. 
7A from the content provider 101 , the content provider 
manager 148 decrypts the usage control policy registra- 
tion request module Mod2 by using the session key data 
KgEs obtained by the mutual authentication between the 
mutual authenticator 150 and the mutual authenticator 
120 shown in Fig. 3. 

[0376] Step SE2: The signature processor 143 veri- 
fies the legitimacy of the signature data SIG5 Qp by using 
the public key data Kqp read from the key database 
141a. 

[0377] Step SE3: The certificate/usage control policy 
manager 1 45 registers the usage control policy data 1 06 
and the content key data Kc stored in the usage control 
policy registration request module Mod2 in the CER da- 
tabase 145 a. 

[0378] Below, an explanation will be made of the 
processing where the settlement processing is carried 
out in the EMD service center 102 by referring to Fig. 11 
and Fig. 15. 

[0379] Figu re 1 5 is a flowchart of the related process- 
ing. 

[0380] Step SF1 : When receiving as its input the user 
log data 108 and a signature data SIG2oo,saivii thereof 
from for example the SAM 105^ of the user home net- 
work 1 03, the SAM manager 1 49 decrypts the usage log 
data 108 and the signature data SIG2oo,sami using 
the session key data Ks^s obtained by the mutual au- 
thentication between the mutual authenticator 150 and 
the SAM 105^, verifies the signature data SIG200SAM1 
by the public key data Kg^M^ of the SAM 1 05-, , and then 
outputs the same to the settlement processor 1 42. 
[0381] Step SF2: The settlement processor 142 per- 
forms the settlement processing based on the usage log 
data 1 08 input from the SAM manager 1 49 and the sug- 
gested retailer' price data SRP and the sale price con- 
tained in the usage control policy data 1 06 read from the 
CER database 145a via the certificate/usage control 
policy manager 1 45 and generates the settlement claim 
data 152 and the settlement report data 107. Note that, 
the settlement claim data 152 and the settlement report 
data 1 07 can be generated whenever the usage log data 
108 is input from the SAM too or can be generated for 
every predetermined period too. 
[0382] Step SF3: The settlement processor 142 out- 
puts the settlement claim data 152 to the settlement or- 
ganization manager 144. 

[0383] The settlement organization manager 144 
transmits the settlement claim data 152 and the signa- 
ture data SIGqs thereof via the payment gateway 90 
shown in Fig. 1 to the settlement organization 91 after 
the mutual authentication and the decryption by the ses- 
sion key data Kg^s- 
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[0384] By this, money of the sum indicated in the set- 
tlement claim data 152 is paid to the content provider 
101. 

[0385] Note that, it is also possible for the EiVID serv- 
ice center 1 02 to transmit the settlement claim data 1 52 
to the content provider 1 01 and for the content provider 
101 to claim money at the settlement organization 91 by 
using the settlement claim data 152. 
[0386] Step SF4: The settlement processor 142 out- 
puts the settlement report data 107 to the content pro- 
vider manager 148. 

[0387] The settlement report data 1 07, as mentioned 

above, describes for example the content of the settle- 
ment concerning the content provider 101 performed 
with respect to the settlement organization 91 shown in 
Fig. 1 by the EIVID service center 102. 
[0388] The content provider manager 148 encrypts 
the settlement report data 1 07 by using the session key 
data KsEs obtained by the mutual authentication be- 
tween the mutual authenticator 150 and the mutual au- 
thenticator 120 shown in Fig. 3 and then transmits the 
same to the content provider 101 . 
[0389] Further, it is also possible that the EMD service 
center 102 register (authorize) the usage control policy 
data 1 06 as mentioned above and then encrypt the au- 
thorization certificate module Mod2a shown in Fig. 7B 
by the distribution key data KD-, to KDg and transmit the 
same from the EMD service center 102 to the content 
provider 101. 

[0390] Further, the EMD service center 1 02 performs 
the processing at the time of shipment of the SAMs 1 05^ 
to 1 054 and the registration processing of the SAM reg- 
istration list other than the above. These processings 
will be explained later. 

[User Home Network 103] 

[0391] The user home network 103 has the network 
apparatus 160-, and the A/V apparatuses I6O2 to I6O4 
as shown in Fig. 1 . 

[0392] The network apparatus 1 60-, includes the SAM 
1 05^ . Further, the AV apparatuses 1 6O2 to 1 6O4 include 
the SAMs 1052 to ^^^a- 

[0393] The SAMs 1 05-, to 1 064 are connected to each 
other via the bus 191, for example, the IEEE 1394 serial 
interface bus. 

[0394] Note that, it is also possible that the AV appa- 
ratuses I6O2 to I6O4 have the network communication 
function or do not have the network communication 
function, but utilize the network communication function 
of the network apparatus 1 60-, . 

[0395] Further, it is also possible for the user home 
network 103 to have only the AP apparatus not having 
a network function. 

[0396] Below, an explanation will be made of the net- 
work apparatus 1 60-, . 

[0397] Figure 1 6 is a view of the configuration of the 
network apparatus 160-,. 



[0398] As shown in Fig. 16, the network apparatus 
160-1 has the SAM 105-|, a communication module 162, 
a decryption/decompression module 163, a purchase/ 
usage mode determination controller 165, a download 
5 memory 1 67, a reproduction module 1 69, and an exter- 
nal memory 201. 

[0399] The SAMs 105^ to IO54 are modules for the 
charge processing in units of content and communicate 
with the EMD service center 102. 

[0400] The SAMs 1 05-, to 1 064, for example, are man- 
aged in specifications and versions by the EMD service 
center 102 and are licensed to manufactures of home 
apparatuses as black box charging modules for charg- 
ing in units of content when desired to be mounted. For 
example, a manufacturer developing a home apparatus 
cannot learn the internal specifications of the ICs (inte- 
grated circuit) of the SAMs 1 05-, to 1 054. The EMD serv- 
ice center 1 02 standardizes the interfaces etc. of the re- 
lated ICs. These are mounted in the network apparatus 
1 60-1 and the AV apparatuses 1 6O2 to 1 6O4 accordingly. 
[0401] The SAMs 1 05-| to 1 054 are hardware modules 
(IC modules etc.) with processing contents completely 
shut off from the outside and thereby having tamper re- 
sistance preventing the processing contents from being 
monitored or tampered with from the outside and pre- 
venting data stored in the inside in advance and the data 
being processed from being monitored and tampered 
from the outside. 

[0402] When realizing the functions of the SAM 105.| 
to 1 054 in the form of ICs, the ICs have secret memories 
and store secret programs and secret data therein. The 
SAMs are not limited to the physical mode of ICs. If the 
functions can be built into a portion of the apparatus, it 
is also possible to define that portion as a SAM. 
[0403] Below, the functions of the SAM 105-, will be 
explained in detail. 

[0404] Note that, the SAMs 1052 to ^^^4 basically 
have the same functions as those of the SAM 1 05-,. 
[0405] Figure 1 7 is a view of the configuration of the 
functions of the SAM 1 05-, . 

[0406] Note that, in Fig. 17, the flow of the data related 
to the processing for inputting the secure container 1 04 
from the content provider 101 and decrypting the key 
file KF in the secure container 104 is shown. 
[0407] As shown in Fig. 1 7, the SAM 1 05-, has a mu- 
tual authenticator 170, encryptor/decryptors 171, 172, 
and 1 73, a content provider manager 1 80, an error cor- 
rector 1 81 , a download memory manager 1 82, a secure 
container decryptor 183, a decryption/decompression 
module manager 184, an EMD service center manager 
185, a usage monitor 186, a charge processor 187, a 
signature processor 1 89, a SAM manager 1 90, a media 
SAM manager 1 97, a stack (work) memory 200, and an 
external memory manager 811 . 

[0408] Note that the AV apparatuses 1 6O2 to 1 6O4 do 
not have download memories 167, therefore there are 
no download memory managers 182 in the SAMs 1052 
to 1054. 
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[0409] Note that, the predetermined functions of the 
SAM 105-1 shown in Fig. 17 are realized by executing a 
secret program in for example a not illustrated CPU. 
[0410] Further, the stack memory 200 stores the us- 
age log data 108 and the SAM registration list after the 
following processings as shown in Fig. 18. 
[041 1 ] Here, the memory space of the external mem- 
ory 201 cannot be seen from the outside (for example 
a host CPU 81 0) of the SAM 1 05^ . Only the SAM 1 05^ 
can manage the access with respect to the storage re- 
gion of an external memory 201 . 
[0412] As the external memory 201, use is made of 
for example a flash memory or a ferroelectric memory 
(FeRAM). 

[0413] Further, as the stack memory 200, use is made 
of for example a SARAM. As shown in Fig. 19, the se- 
cure container 104, content key data Kc, usage control 
policy data (UCP) 1 06, a lock key data Klqc of ^ storage 
unit 1 92, the public key certificate CERqp of the content 
provider 1 01 , the usage control status data (UCS) 166, 
the SAM program download containers SDC^ to SDCg, 
etc. are stored. 

[0414] Below, an explanation will be made of the 
processing content of the functional blocks when input- 
ting the secure container 104 from the content provider 
101 among the functions of the SAM 105-| by referring 
to Fig. 17. 

[0415] When the SAM 105-, transfers dataon-line with 
the content provider 101 and the EMD service center 
102, the mutual authenticator 170 performs the mutual 
authentication between the content provider 101 and 
the EMD service center 1 02 to generate the session key 
data (common key) Kses ^"^^1 outputs this to the encryp- 
tor/decryptor 171. The session key data Kqes newly 
generated whenever mutual authentication is carried 
out. 

[0416] The encryptor/decryptor 171 encrypts and/or 
decrypts the data transferred with the content provider 

101 and the EMD service center 102 by using the ses- 
sion key data Kqes generated by the mutual authenti- 
cator 170. 

[041 7] The error corrector 1 81 corrects the error of the 
secure container 1 04 and outputs the result to the down- 
load memory manager 182. 

[0418] Note that, it is also possible that the user home 
network 103 have the function of detecting whether or 

not the secure container 104 has been tampered with. 
[0419] In the present embodiment, the case where the 
error corrector 181 was included in the SAM 105.| was 
illustrated, but it is also possible to impart the function 
of the error corrector 1 81 to the outside of the SAM 1 05-, , 
for example the host CPU 810. 

[0420] The download memory manager 1 82 encrypts 
the secure container 104 after the error correction by 
using the session contained Ks^s obtained by the mu- 
tual authentication after the mutual authentication be- 
tween the mutual authenticator 170 and a media SAM 
167a when the download memory 167 has the media 



SAM 167a having the mutual authentication function as 
shown in Fig. 1 6 and writes the same into the download 
memory 1 67 shown in Fig. 1 6. As the download memory 
167, use is made of a nonvolatile semiconductor mem- 
5 ory, for example, a memory stick. 

[0421] Note that, as shown in Fig. 20, when a memory 
not provided with a mutual authentication function such 
as an HDD (hard disk drive) is used as a down load mem- 
ory 21 1 , the interior of the download memory 21 1 is not 
secure, therefore the content file CF is downloaded in 
the download memory 211, and the key file KF having 
the high secrecy is downloaded in the stack memory 200 
shown in Fig. 17. 

[0422] The secure container decryptor 183 decrypts 
the key file KF stored in the secure container 1 04 input 
from the download memory manager 182 by using the 
distribution key data KD-, to KDg of the corresponding 
period read from the storage unit 192 and confirms the 
legitimacy of the signature data SIG2_cp to SIG4 Qp, that 
is, the legitimacy of the creator of the content data C, 
content key data Kc, and the usage control policy data 
1 06 in the signature processor 1 89, and then writes the 
decrypted data into the stack memory 200. 
[0423] The EM D service center manager 1 85 manag- 
es the communication with the EMD service center 1 02 
shown in Fig. 1 . 

[0424] The signature processor 189 verifies the sig- 
nature data in the secure container 104 by using the 
public key data K^scp of service center 102 

read from the storage unit 192 and the public key data 
Kqp p of the content provider 1 01 . 
[0425] The storage unit 192 stores, as secret data 
which cannot be read and rewritten from the outside of 
the SAM 1 05^, as shown in Fig. 21 , the distribution key 
data KD-, to KD3, SAM_ID, user ID, password, informa- 
tion reference use ID, SAM registration list, storage key 
data KsTR, public key data Kr.qa.p of the route CA, pub- 
lic key data K^scp of the EMD service center 1 02, me- 
dia key data Ki^ied, public key data K^scp of the EMD 
service center 1 02, secret key data Kqami ,s of the SAM 
1 05-, , public key certificate data CERqami storing public 
keydataKsAMi,pOf the SAM 105^ therein, signature da- 
ta SIG22 of the public key certificate CER^sc using the 
secret key data K^sq s of the EMD service center 102, 
the original key data for the mutual authentication with 
the decryption/decompression module 163, and the 
original key data for the mutual authentication with the 
media SAM. 

[0426] Further, the storage unit 192 stores a secret 
program for realizing at least part of the functions shown 
in Fig. 17. 

[0427] As the storage unit 1 92, use is made of for ex- 
ample aflash-EEPROM (electrically erasable program- 
mable RAM). 

[0428] Below, an explanation will be made of the flow 
of the processing when inputting the secure container 
104 from the content provider 101 in the flow of the 
processing of the SAM 105^. 
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[0429] First, the flow of the processing in the SAM 
105-1 when storing the distribution l^ey data KD-, to KD3 
received from the ElVID service center 1 02 in the storage 
unit 192 will be explained by referring to Fig. 17. 
[0430] In this case, first, the mutual authentication is 5 
carried out between the mutual authenticator 170 and 
the mutual authenticator 150 shown in Fig. 10. 
[0431] Next, three months' worth of the distribution 
key data KD^ to KD3 encrypted by the session key data 
KgEs obtained by the related mutual authentication and 10 
the signature data SIG^di ,esc *o ^'^kd3,esc thereof are 
written from the EMD service center 102 via the EMD 
service center manager 1 85 into the stack memory 811. 
[0432] Next, the encryptor/decryptor 171 uses the 
session key data Ks^s to decrypt the distribution key da- 15 
ta KD-i to KD3 and the signature data SIGkdi,esc to 

^'^KD3,ESC- 

[0433] Next, the signature processor 1 89 confirms the 
legitimacy of the signature data SIG^dlesc to 
SIGkd3,esc stored in the stack memory 811 , then writes 20 
the distribution key data KD^ to KD3 into the storage unit 
192. 

[0434] Below, an explanation will be made of the flow 
of the processing in the SAM 105-, when inputting the 
secure container 1 04 from the content provider 1 01 and 25 
decrypting the key file KF in the secure container 104 
by referring to Fig. 17 and Fig. 22. 
[0435] Figure 22 is a flowchart of the related process- 
ing. 

[0436] Step SGI : The mutual authentication is carried 30 
out between the mutual authenticator 170 of the SAM 
1 05-1 shown in Fig. 1 7 and the mutual authenticator 1 20 
shown in Fig. 2. 

[0437] The encryptor/decryptor 171 decrypts the se- 
cure container 104 received from the content provider 35 
1 01 via the content provider manager 1 80 by using the 
session key data Kses obtained by the related mutual 
authentication. 

[0438] Step SG2: The signature processor 189 veri- 
fies the signature data SIG-, esc shown in Fig. 4C and 40 
then confirms the legitimacy of the signature data 
SIGg CP and SIG7 Qp by using the public key data KQp p 
of the content provider 1 01 stored in the public key cer- 
tificate data CERqp shown in Fig. 4C. 
[0439] When the legitimacy of the signature data ^5 
SIGg CP and SIG7 CP is confirmed, the content provider 
manager 180 outputs the secure container 104 to the 
error corrector 181 . 

[0440] The error corrector 181 corrects the error of the 

secure container 1 04 and then outputs the result to the 50 

download memory manager 182. 

[0441] Step SG3: The download memory manager 

182 performs the mutual authentication between the 

mutual authenticator 170 and the media SAM 167a 

shown in Fig. 16 and then writes the secure container 55 

104 into the download memory 167. 

[0442] Step SG4: The download memory manager 

182 performs the mutual authentication between the 



mutual authenticator 170 and the media SAM 167a 
shown in Fig. 16 and then reads the key file KF shown 
in Fig. 4B stored in the secure container 104 from the 
download memory 1 67 and outputs the same to the se- 
cure container decryptor 1 83. 

[0443] Then, the secure container decryptor 183 de- 
crypts the key file KF by using the distribution key data 
KD-i to KD3 of the corresponding period input from the 
storage unit 192 and outputs the signature data 

SIG^ ESC ^"^^ SIG2 CP to SIG4 CP stored in the signature/ 
certificate module Mod-, shown in Fig. 48 to the signa- 
ture processor 189. 

[0444] Step SG5: The signature processor 189 veri- 
fies the signature data SIG-, esc shown in Fig. 4B and 
then verifies the signature data SIG2 cp to SIG4 cp by 
using the public key data Kesc.p stored in the public key 
certificate data CERcp shown in Fig. 4B. By this, the 
legitimacy of the creator of the content data C, content 
key data Kc, and the usage control policy data 106 is 
verified. 

[0445] Step SG6: The secure container decryptor 1 83 
writes the key file KF into the stack memory 200 when 
the legitimacy of the signature data SIG2 cp to SIG4 cp 
is confirmed. 

[0446] Below, an explanation will be made of the 

processing content of the functional blocks related to the 
processing for using and/or purchasing the content data 
C downloaded in the download memory 1 67 by referring 
to Fig. 23. 

[0447] The usage monitor 186 reads the usage con- 
trol policy data 106 and the usage control status data 
166 from the stack memory 200 and monitors so that 
the content is purchased and/or used within the range 
permitted by the related read usage control policy data 
1 06 and usage control status data 1 66. 
[0448] Here, the usage control policy data 106 has 
been stored in the key file KF shown in Fig. 4B stored 
in the stack memory 200 after decryption as explained 
by using Fig. 17. 

[0449] Further, the usage control status data 166 is 
stored in the stack memory 200 when the purchase 
mode is determined by the user as will be mentioned 
later. 

[0450] The charge processor 187 generates the us- 
age log data 108 in response to a control signal SI 65 
from the purchase/usage mode determination controller 
165 shown in Fig. 16. 

[0451 ] Here, the usage log data 1 08 describes the log 
of the purchase and usage modes of the secure con- 
tainer 1 04 by the user as mentioned before and is used 
when performing the settlement processing in accord- 
ance with the purchase of the secure container 1 04 and 
determining the payment of the license fee in the EMD 
service center 102. 

[0452] Further, the charge processor 1 87 notifies the 
sale price or the suggested retailer' price data SRP read 
from the stack memory 200 to the user according to 
need. 
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[0453] Here, the sale price and the suggested retailer' 
price data SRP have been stored in the usage control 
policy data 1 06 of the key file KF shown in Fig. 4B stored 
in the stack memory 200 after decryption. 
[0454] The charge processing by the charge proces- 5 
sor 1 87 is carried out based on the content of the rights 
such as the license conditions indicated by the usage 
control policy data 1 06 and the usage control status data 
166 under the monitoring of the usage monitor 186. 
Namely, the user purchases and uses the content within io 
the range according to the related content of rights etc. 
[0455] Further, the charge processor 187 generates 
the usage control status (UCS) data describing the pur- 
chase mode of the content by the user and writes this 
into the stack memory 200. 15 
[0456] As the purchase modes of the content, there 
are for example a straight purchase without restriction 
as to reproduction by the purchaser and copying for the 
usage of the related purchaser and a reproduction 
charge charging whenever it is reproduced. 20 
[0457] Here, the usage control status data 1 66 is gen- 
erated when the user determines the purchase mode of 
the content, then is used for control so that the user uses 
the related content within the range permitted by the re- 
lated determined purchase mode. The usage control 25 
status data 1 66 describes the ID of the content, the pur- 
chase mode, the price in accordance with the related 
purchase mode, the SAMJD of the SAM with the pur- 
chase of the related content performed therefor, 
USERJD of the purchasing user, etc. 30 
[0458] Note that, where the determined purchase 
mode is the reproduction charge, for example, the us- 
age control status data 1 66 is transmitted from the SAM 
1 05-1 to the content provider 1 01 in real-time simultane- 
ously with the purchase of the content data C, and the 35 
content provider 1 01 indicates to the EMD service cent- 
er 1 02 to obtain the usage log data 1 08 at the SAM 1 05^ 
within the predetermined period. 
[0459] Further, where the determined purchase mode 
is a straight purchase, for example, the usage control 
status data 1 66 is transmitted in real-time to both of the 
content provider 101 and the EMD service center 102. 
In this way, in the present embodiment, in the both cas- 
es, the usage control status data 166 is transmitted in 
real-time to the content provider 101. ^5 
[0460] The EMD service center manager 185 trans- 
mits the usage log data 1 08 read from the external mem- 
ory 201 via the external memory manager 811 to the 
EMD service center 102. 

[0461] At this time, the EMD service center manager 50 
1 85 generates the signature data SIG2oo,sami of the us- 
age log data 108 by using the secret key data Ksami,s 
in the signature processor 1 89 and transmits the signa- 
ture data SIGgoo.sAMi together with the usage log data 
1 08 to the EM D service center 1 02. 55 
[0462] The usage log data 1 08 can be transmitted to 
the EMD service center 1 02 in response to for example 
a request from the EMD service center 102 or periodi- 
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cally or can be transmitted when the amount of the log 
information contained in the usage log data 108 be- 
comes the predetermined amount or more. The related 
amount of information is determined in accordance with 
for example the storage capacity of the external memory 
201. 

[0463] The download memory manager 182 outputs 
the content data C read from the download memory 1 67, 
the content key data Kc read from the stack memory 
200, and the user watermark data 196 input from the 
charge processor 1 87 to the decryption/decompression 
module manager 1 84 in the case where for example the 
reproduction operation of the content is carried out in 
response to a control signal SI 65 from the purchase 
mode determination controller 165 shown in Fig. 16. 
[0464] Further, the decryption/decompression mod- 
ule manager 184 outputs the content file CF read from 
the download memory 1 67 and the content key data Kc 
and asemi-disclosure parameter data 1 99 read from the 
stack memory 200 to the decryption/decompression 
module manager 184 when performing a trial listening 
operation of the content in response to the control signal 
SI 65 from the purchase mode determination controller 
165 shown in Fig. 16. 

[0465] Here, the semi-disclosure parameter data 1 99 

is described in the usage control policy data 106 and 
indicates the handling of the content in the trial listening 
mode. In the decryption/decompression module 163, it 
becomes possible to reproduce the encrypted content 
data C in the semi-disclosure state based on the semi- 
disclosure parameter data 1 99. As the procedure of the 
semi-disclosure, there is for example a procedure of 
designating the blocks to be decrypted and the blocks 
not to be decrypted by using the content key data Kc, 
limiting the reproduction function at the time of trial lis- 
tening, or limiting a trial listening enable period by the 
semi-disclosure parameter data 1 99 by utilizing the fact 
that the decryption/decompression module 163 proc- 
esses the data (signal) in units of predetermined blocks. 
[0466] Below, an explanation will be made of the flow 
of the processing in the SAM 105-,. 
[0467] First, an explanation will be made of the flow 
of the processing up to when the purchase mode of the 
secure container 104 downloaded in the download 
memory 167 from the content provider 101 is deter- 
mined by referring to Fig. 23 and Fig. 24. 
[0468] Figure 24 is a flowchart of the related process- 
ing. 

[0469] Step SHI : In the charge processor 187, it is 
decided whether or not the control signal SI 65 indicat- 
ing the trial listening mode was generated by the oper- 
ation of the purchase/usage mode determination con- 
troller 165 shown in Fig. 16 by the user. When it is de- 
cided that it was generated, the processing of step SH2 
is carried out, while when it was not so generated, the 
processing of step SH3 is carried out. 
[0470] Step SH2: By the charge processor 1 87, for ex- 
ample, the content file CF stored in the download mem- 
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ory 1 67 is output via tine decryption/decompression 
module manager 184 to the decryption/decompression 
module 163 shown in Fig. 16. 

[0471] At this time, the mutual authentication between 
the mutual authenticator 1 70 and the media SAM 1 67a 5 
and the encryption and/or decryption by the session key 
data Kqes and the mutual authentication between the 
mutual authenticator 170 and the mutual authenticator 

220 and the encryption and/or decryption by the session 
key data Kqes a''® carried out with respect to the content io 
file CF. 

[0472] The content file CF is decrypted at a decryptor 

221 shown in Fig. 16 and then output to a decryptor 222. 
[0473] Further, the content key data Kc and the semi- 
disclosure parameter data 199 read from the stack ^5 
memory 200 are output to the decryption/decompres- 
sion module 1 63 shown in Fig. 1 6. At this time, after the 
mutual authentication between the mutual authenticator 
170 and the mutual authenticator 220, the encryption 
and decryption by the session key data Kses a''® carried 20 
out with respect to the content key data Kc and the semi- 
disclosure parameter data 199. 

[0474] Next, the decrypted semi-disclosure parame- 
ter data 199 is output to a semi-disclosure processor 
225, and the content data Cis decrypted using the con- 25 
tent key data Kc by the decryptor 222 by semi-disclosure 
under the control from the semi-disclosure processor 
225. 

[0475] Next, the content data C decrypted by semi- 
disclosure is decompressed at a decompression unit 30 
223 and then output to an electronic watermark infor- 
mation processor 224. 

[0476] Next, the user watermark data 1 96 is buried in 
the content data C in the electronic watermark informa- 
tion processor 224, then the content data C is repro- 35 
duced at the reproduction module 1 69, and the audio in 
accordance with the content data C is output. 
[0477] Step SH3: When the user determines the pur- 
chase mode by operating the purchase/usage mode de- 
termination controller 1 65, the control signal SI 65 indi- 40 
eating the related determined purchase mode is output 
to the charge processor 1 87. 

[0478] Step SH4: In the charge processor 1 87, the us- 
age log data 1 08 and the usage control status data 1 66 
in accordance with the determined purchase mode are ^5 
generated, the usage log data 1 08 is written into the ex- 
ternal memory 201 via the external memory manager 
81 1 , and the usage control status data 1 66 is written into 
the stack memory 200. 

[0479] Thereafter, in the usage monitor 186, control 50 
(monitoring) is carried out so that the content are pur- 
chased and used within the range permitted by the us- 
age control status data 1 66. 

[0480] Step SH5: The usage control status data 166 
is added to the key file KF stored in the stack memory 55 
200 to generate a new key file KF-, having the purchase 
mode determined therein shown in Fig. 29B mentioned 
later. The key file KF^ is stored in the stack memory 200. 



[0481] As shown in Fig. 29B, the usage control status 
data 166 stored in the key file KF-, has been encrypted 
by utilizing the CBC mode of the DES by using the stor- 
age key data Kgyp. Further, the MAC value generated 
by using the related storage key data Kgyp as the MAC 
key data, that is, MAC300, is added. Further, a module 
comprised by the usage control status data 1 66 and the 
MAC300 is encrypted by utilizing the CBC mode of the 
DES by using the media key data Ki^^d- Further, the 
MAC value generated by using the related media key 
data K|^EQ as the MAC key data, that is, MAC301 , is add- 
ed to the related module. 

[0482] Below, an explanation will be made of the flow 
of the processing in the case where the content data C 
having the purchase mode already determined and 
stored in the download memory 167 is reproduced by 
referring to Fig. 23 and Fig. 25. 

[0483] Figure 25 is a flowchart of the related process- 
ing. 

[0484] Step SI1 : The charge processor 1 87 receives 
as its input the control signal SI 65 designating the con- 
tent to be reproduced in accordance with the operation 
by the user. 

[0485] Step SI2: In the charge processor 1 87, the con- 
tent file CF stored in the download memory 1 67 is read 
based on the control signal S165 under the monitoring 

of the usage monitor 1 86. 

[0486] Step SIS: The related read content file CF is 
output to the decryption/decompression module 163 
shown in Fig. 16. At this time, the mutual authentication 
is carried out between the mutual authenticator 170 
shown in Fig. 23 and the mutual authenticator 220 of the 
decryption/decompression module 163 shown in Fig. 
16. 

[0487] Further, the content key data Kc read from the 
stack memory 200 is output to the decryption/decom- 
pression module 163. 

[0488] Step SI4: The decryptor 222 of the decryption/ 

decompression module 1 63 decrypts the content file CF 
using the content key data Kc and the decompression 
processing by the decompression unit 223 and repro- 
duces the content data C at the reproduction module 
169. 

[0489] Step SI5: The charge processor 187 updates 
the usage log data 1 08 stored in the external memory 
201 in response to the control signal S165. 
[0490] The usage log data 1 08 is read from the exter- 
nal memory 201, and then passes through the mutual 
authentication and is transmitted via the EMD service 
center manager 185 together with the signature data 
SIG200,SAM1 to the EMD service center 102. 
[0491] Below, an explanation will be made of the flow 
of the processing in the SAM 105^ in a case where, as 
shown in Fig. 26, for example the content file CF having 
the purchase mode already determined and download- 
ed in the download memory 1 67 of the network appara- 
tus 160-1 and the key file KF are transferred to the SAM 
1 052 of ^ apparatus 1 6O2 via the bus 1 91 by refer- 
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ring to Fig. 27 and Fig. 28. 
[0492] Figure 28 is a flowchart of the related process- 
ing. 

[0493] Step SJ1 : The user operates the purchase/us- 
age mode determination controller 165 and indicates 5 
the transfer of the predetermined content stored in the 
download memory 167 to the AV apparatus I6O2, and 
the control signal SI 65 in accordance with the related 
operation is output to the charge processor 187. 
[0494] By this, the charge processor 1 87 updates the 10 
usage log data 108 stored in the external memory 201 
based on the control signal SI 65. 
[0495] Step SJ2: The download memory manager 
182 outputs the content file CF shown in Fig. 29A read 
from the download memory 167 to the SAM manager 15 
190. 

[0496] Step SJ3: The key file KF^ shown in Fig. 29B 
read from the stack memory 200 is output to the signa- 
ture processor 189 and the SAM manager 190. 
[0497] Step SJ4: The signature processor 1 89 gener- 20 
ates signature data SIG42 sami ^^^Y f''® l^l^i 
from the stack memory 200 and outputs this to the SAM 
manager 1 90. 

[0498] Further, the SAM manager 190 reads public 
key certificate data CERg^Mi shown in Fig. 29C and sig- 25 
nature data SIG22,esc thereof from the storage unit 1 92. 
[0499] Step SJ5: The mutual authenticator 170 out- 
puts the session key data Kg^s obtained by the mutual 
authentication with the SAM 1 052 encryptor/de- 
cryptor171. 30 
[0500] The SAM manager 190 generates a new se- 
cure container comprised by data shown in Fig. 29A, 
Fig. 29B, and Fig. 29C. 

[0501] Step SJ6: The encryptor/decryptor 171 en- 
crypts the data by using the session key data Kg^g and 35 
then output it to the SAM 1 052 of AV apparatus 1 602 
shown in Fig. 26. 

[0502] At this time, parallel to the mutual authentica- 
tion between the SAM 105^ and the SAM 1052, the mu- 
tual authentication of the bus 1 91 as the IEEE1394 se- 40 
rial bus is carried out. 

[0503] Below, as shown in Fig. 26, the flow of the 
processing in the SAM 1052 when writing the content 
file CF etc. input from the SAM 105-, into a storage media 
such as a RAM type will be explained by referring to Fig. ^5 
30 and Fig. 31. 

[0504] Figure 31 is a flowchart of the related process- 
ing. 

[0505] Step SKI : The SAM manager 1 90 of the SAM 
1 052 receives as its inputs the content file CF shown in 50 
Fig.29A, key file KF-,, and the signature data SIG42SAM1 
thereof shown in Fig. 29B and public key certificate data 
CERgy^y^ and the signature data SIG22,esc thei'eof 
shown in Fig. 29C from the SAM 105^ of the network 
apparatus 160-, as shown in Fig. 26. 55 
[0506] Then, the encryptor/decryptor 171 decrypts 
the content file CF, the key file KF^ and the signature 
data SIG42 gAMi thereof, and the public key certificate 
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data CERg/^iyyii and the signature data SIG22, esc thereof 
input by the SAM manager 1 90 by using the session key 
data KgEg obtained by the mutual authentication be- 
tween the mutual authenticator 1 70 and the mutual au- 
thenticator 1 70 of the SAM 1 05^ . 
[0507] Next, the key file KF-, and the signature data 
SIG42 

SAM1 thereof and public key certificate data 
CERgAMi and the signature data SIG22,esc thereof de- 
crypted by using the session key data Kg^s are written 
into the stack memory 200. 

[0508] Step SK2: The signature processor 189 veri- 
fies the signature data SIG22,esc ^^^^ stack 
memory 200 by using the public key data K^scp ''®ad 
from the storage unit 1 92 and confirms the legitimacy of 
public key certificate data CERs;^|^-|. 
[0509] Then, the signature processor 189 confirms 
the legitimacy of the signature data SIG42 gAMi I^V using 
the public key data Kg^^-i p stored in the public key cer- 
tificate data CERgAMi when confirming the legitimacy of 
the public key certificate data CERgAM^. 
[051 0] Next, when the legitimacy of the signature data 
SIG42 

SAM1' ^'^at is the legitimacy of the creator of the 
key file KF-, , is confirmed, it reads the key file KF^ shown 
in Fig. 29B from the stack memory 200 and outputs it to 
the encryptor/decryptor 1 73. 

[0511] Note that, in the related example, the case 
where the creator of the key file KF^ and the source of 
transmission were the same was explained, but when 
the creator of the key file KF1 and the source of trans- 
mission are different, the signature data of the creator 
and the signature data of the transmitter are generated 
with respect to the key file KF^ and the legitimacy of both 
signature data is verified at the signature processor 1 89. 
[0512] Step SK3: The encryptor/decryptor 173 se- 
quentially encrypts the key file KF-, by using the storage 
key data Kgjp,, media key data K^^^, and purchaser key 
data KpiN read from the storage unit 192 and outputs 
the same to the media SAM manager 197. 
[0513] Note that, the media key data K^/i^d is stored 
in the storage unit 1 92 in advance by the mutual authen- 
tication between the mutual authenticator 170 shown in 
Fig. 27 and the media SAM 252 of the RAM type storage 
media 250 shown in Fig. 26. 

[051 4] Here, the storage key data Kgjp is the data de- 
termined in accordance with the type of the apparatus, 
for example, a SACD (super audio compact disc) or 
DVD (digital versatile disc) apparatus, CD-R apparatus, 
and MD (Mini Disc) apparatus (AV apparatus 1 6O2 in the 
related example) and is used for establishing a one-to- 
one correspondence between the types of the appara- 
tuses and the types of the storage media. Note that the 
physical configurations of the disc media are the same 
between an SACD and a DVD, so there is a case where 
the storage and/or reproduction of the SACD storage 
media can be carried out by using a DVD apparatus. 
The storage key data Kgjp plays te role of preventing 
illicit copying in such a case. 

[0515] Further, the media key data K^^q is data 
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unique to the storage medium (the RAM type storage 
medium 250 in the related example). 
[0516] The media key data K^^d is stored in the stor- 
age media (the RAM type storage media 250 shown in 
Fig. 26 in the related example) side and preferably per- 
forms the encryption and decryption using the media 
key data K|^ed media SAM of the storage media 
from the viewpoint of the security. At this time, the media 
key data Ki^ied is stored in the related media SAM when 
the media SAM is mounted in the storage media, while 
is stored in for example a region in the RAM region out 
of the management of the host CPU 810 when the media 
SAM is not mounted in the storage media. 
[0517] Note that, as in the present embodiment, it is 
also possible that the mutual authentication be carried 
out between the apparatus side SAM (SAM 1052 
related example) and the media SAM (media SAM 252 
in the related example), the media key data K^^^ be 
transferred to the apparatus side SAM via the secure 
communication route, and the encryption and decryp- 
tion using the media key data K|^ed carried out in the 
apparatus side SAM. 

[0518] In the present embodiment, the storage key 
data Kgjp and the media key data K|^ed are used for 
protecting the security of the level of the physical layer 
of the storage media. 

[0519] Further, the purchaser key data Kpi^ is the da- 
ta indicating the purchaser of the content file CF and is 
allocated to the related purchased user by the EMD 
service center 1 02 when the user purchases the content 
by for example a straight purchase. The purchaser key 
data KpiN is managed in the EMD service center 102. 
[0520] Step SK4: The media SAM manager 197 out- 
puts the content file CF input from the SAM manager 
190 and the key file KF-, input from the encryptor/de- 
cryptor 1 73 to the storage module 260 shown in Fig. 26. 
[0521] Then, the storage module 260 writes the con- 
tent file CF and key file KF-, input from the media SAM 
manager 197 into the RAM region 251 of the RAM type 
storage media 250 shown in Fig. 26. In this case, it is 
also possible that the key file KF-, be written into the me- 
dia SAM 252. 

[0522] Below, the flow of the processing When deter- 
mining the purchase mode in the AV apparatus I6O2 
when a user home network 303 receives off-line the dis- 
tribution of the ROM type storage medium 130 shown 

in Fig. 6 having the not yet determined purchase mode 
of the content will be explained by referring to Fig.32, 
Fig. 33, Fig. 34, and Fig. 35. 

[0523] Step SL1 : The SAM 1 052 of AV apparatus 
I6O2 first performs the mutual authentication between 
the mutual authenticator 170 shown in Fig. 33 and the 
media SAM 133 of the ROM type storage media 130 
shown in Fig. 6 and then receives as its input the media 
key data K^ed ^^^^ media SAM 133. 
[0524] Note that, it is also possible that the related in- 
put not be carried out when the SAM 1 052 holds the me- 
dia key data K|^ed '"^ advance. 



[0525] Step SL2: The key file KF and signature data 
SIG7 Qp thereof and the public key certificate data CER- 
cp and signature data SIG^ esc thereof shown in Figs. 
4B and 4C stored in the secure container 104 stored in 
5 the RAM region 1 32 of the ROM type storage media 1 30 
are input via the media SAM manager 1 97 and are writ- 
ten into the stack memory 200. 

[0526] Step SL3: The signature processor 189, after 
confirming the legitimacy of the signature data 

SIG^ ^gQ, fetches the public key data Kqpp from public 
key certificate data CERqp and verifies the legitimacy 
of the signature data SIG7 Qp, that is, the legitimacy of 
the creator of the key file KF, by using this public key 

data Kqp p. 

[0527] Step SL4: When the legitimacy of the signature 
data SIG7 QP is confirmed at the signature processor 
1 89, the key file KF is read from the stack memory 200 
to the secure container decryptor 183. 
[0528] Then, the secure container decryptor 1 83 de- 
crypts the key file KF by using the distribution key data 
KD-i to KD3 of the corresponding period. 
[0529] Step SL5: The signature processor 189, after 
confirming the legitimacy of a signature dataSIG^ esc^ 
stored in the key file KF by using the public key data 
Kesc.P' verifies the legitimacy of the signature data 
SIG2 CP to SIG4 Qp, that is, the legitimacy of the creator 
of the content data C, content key data Kc ,and the us- 
age control policy data 1 06, by using the public key data 
Kqpp stored in the public key certificate data CERqp in 
the key file KR 

[0530] Step SL6: The charge processor 187 decides 
whether or not a control signal SI 65 indicating the trial 
listening mode was generated by the operation of the 
purchase/usage mode determination controller 165 
shown in Fig. 1 6 by the user, and where the generation 
is decided, the processing of step SL7 is carried out, 
and while where the generation is not decided, the 
processing of step SL8 is carried out. 
[0531] Step SL7: After the mutual authentication be- 
tween the mutual authenticator 1 70 shown in Fig. 33 and 
the decryption/decompression module 163 shown in 
Fig. 32, the decryption/decompression module manag- 
er 1 84 of the SAM 1 052 outputs the content key data Kc 
stored in the stack memory 200, the semi-disclosure pa- 
rameter data 1 99 stored in the usage control policy data 
106, and the content data C read from the ROM region 
131 of the ROM type storage media 130 to the decryp- 
tion/decompression module 1 66 shown in Fig. 32. Next, 
the decryption/decompression module 1 63 decrypts the 
content data C in the semi-disclosure mode by using the 
content key data Kc and then decompresses it and out- 
puts it to a reproduction module 270. Then, the repro- 
duction medial 270 reproduces the content data C from 
the decryption/decompression module 163 in the trial 
listening mode. 

[0532] Step SL8: The purchase mode of the content 

is determined by the purchase operation of the purchase 
mode determination controller 165 shown in Fig. 32 by 
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the user, then the control signal S165 indicating the re- 
lated determined purchase mode is input to the charge 
processor 1 87. 

[0533] Step SL9: The charge processor 187 gener- 
ates the usage control status data 166 in response to 
the control signal SI 65 and writes this into the stack 
memory 200. 

[0534] Further, the charge processor 187 generates 
or updates the usage log data 1 08. 
[0535] Step SL10: For example, a new key file KF^ 
shown in Fig. 29B storing the usage control status data 
166 in the key file KF shown in Fig. 4B is output from 
the stack memory 200 to the encryptor/decryptor 173. 
[0536] Step SL11: The encryptor/decryptor 173 se- 
quentially encrypts the key file KF-, shown in Fig. 29B 
read from the stack memory 200 by using the storage 
key data Ksjr, media key data K^^^, and the purchaser 
key data Kpn^j read from the storage unit 1 92 and outputs 
the same to the media SAM manager 197. 
[0537] Step SL1 2: After the mutual authentication be- 
tween the mutual authenticator 1 70 shown in Fig. 33 and 
the media SAM 1 33 shown in Fig. 32, the SAM manager 
197 writes the key file KF-, input from the encryptor/de- 
cryptor 173 via a storage module 271 shown in Fig. 32 
into the RAM region 132 or the media SAM 133 of the 
ROM type storage media 130. 

[0538] By this, the ROM type storage media 1 30 hav- 
ing the purchase mode determined is obtained. 
[0539] At this time, the usage control status data 1 66 
and the usage log data 108 generated by the charge 
processor 1 87 are read from the stack memory 200 and 
the external memory 201 at the predetermined timing 
and transmitted to the EMD service center 102. 
[0540] Below, as shown in Fig. 36, an explanation will 
be made of the flow of the processing when reading the 
secure container 1 04 from the ROM type storage media 
130 having the not yet determined purchase mode in 
the AV apparatus 1 6O3 and transferring the same to the 
AV apparatus I6O2, determining the purchase mode at 
the AV apparatus I6O2, and writing the same into RAM 
type storage media 250 by referring to Fig. 37 and Fig. 
38. 

[0541] Figure 37 is a flowchart of the related process- 
ing in the SAM lOSg. 

[0542] Figure 38 is a flowchart of the related process- 
ing in the SAM 1 063. Note that, the secure container 1 04 
may be transferred from the ROM type storage media 
130 to the RAM type storage media 250 between the 
network apparatus 1 60^ and any of the AV apparatuses 
1 602 to 1 6O4 shown in Fig. 1 . 

[0543] Step SM11 (Fig. 37): The mutual authentica- 
tion is carried out between the SAM 1 063 of the AV ap- 
paratus I6O3 and the media SAM 133 of the ROM type 
storage media 130, then a media key data K^edi of 
ROM type storage media 130 is transferred to the SAM 
1053. 

[0544] At this time, similarly, the mutual authentication 
is carried out between the SAM 1 052 ^V appara- 



tus 1 6O2 and a media SAM 252 of the RAM type storage 
media 250, then a media key data K^^dz RAM 
type storage media 250 is transferred to the SAM 1 052- 
[0545] Step SMI 2: The SAM IO53 sequentially de- 

5 crypts the key file KF, the signature data SIG7 Qp, and 
the public key certificate data CERqp and the signature 
data SIG^ ^sc thereof of Figs. 4B and 4C read from the 
RAM region 132 in the encryptor/decryptor 172 shown 
in Fig. 40 by using the distribution key data KD^ to KD3 

10 of the corresponding period. 

[0546] Next, the content file CF decrypted in the en- 
cryptor/decryptor 1 72 is output to the encryptor/decryp- 
tor 1 71 , encrypted by using the session key data Kses 
obtained by the mutual authentication between the SAM 

15 1 053 and 1 052, then output to the SAM manager 
190. 

[0547] Further, the key file KF decrypted in the en- 
cryptor/decryptor 1 72 is output to the encryptor/decryp- 
tor 171 and the signature processor 189. 

20 [0548] Step SMI 3: The signature processor 1 89 gen- 
erates the signature data SIG350 sams the key file KF 
by using the secret key data Kg^Ms.s the SAM IO53 
and outputs this to the encryptor/decryptor 171 . 
[0549] Step SMI 4: The encryptor/decryptor 171 en- 

25 crypts the public key certificate data CERsams of the 
SAM lOSg and the signature data SIG35^ ^sc thereof, 
the key file KF and the signature data SIG350 sam3 there- 
of read from the storage unit 192, and the content file 
CF shown in Fig. 4A read from the ROM region 131 of 

30 the ROM type storage media 130 by using the session 
key data Ks^s obtained by the mutual authentication be- 
tween the SAM 1053 and 1052 then outputs the 
same to the SAM 1 052 of the AV apparatus 1 6O2 via the 
SAM manager 1 90. 

35 [0550] Step SN1 (Fig. 38): In the SAM 1052, 
shown in Fig. 41 , the content file CF input from the SAM 
1053 via the SAM manager 190 is decrypted by using 
the session key data Kses the encryptor/decryptor 
1 71 and then written into a RAM region 251 of the RAM 

40 type storage media 250 via the media SAM manager 
197. 

[0551] Further, the key file KF and the signature data 
SIG350 SAM3 thereof and the public key certificate data 
CER3AIV13 and the signature data SIG35-1 esc thereof in- 
45 put from the SAM 1 053 via the SAM manager 1 90 are 
written into the stack memory 200 and then decrypted 
by using the session key data Kses encryptor/de- 
cryptor 171. 

[0552] Step SN2: The related decrypted signature da- 
50 ta SIG351 ESC verified in the signature processor 1 89. 
When the legitimacy thereof is confirmed, the legitimacy 
of the signature data SIG35Q sams' that is, the legitimacy 
of the source of transmission of the key file KF, is con- 
firmed by using the public key data Ksams stored in the 
55 public key certificate data CERsams- 

[0553] Then, when the legitimacy of the signature da- 
ta SIG350 SAM3 confirmed, the key file KF is read from 
the stack memory 200 and output to the secure contain- 
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er decryptor 183. 

[0554] Step SN3: The secure container decryptor 1 83 
decrypts the key file KF by using the distribution key data 
KD-, to KDg of the corresponding period and writes the 
related decrypted key file KF into the stack memory 200 
after the predetermined signature verification. 
[0555] Thereafter, the usage control policy data 1 06 
stored in the key file KF already decrypted and stored 
in the stack memory 200 is output to the usage monitor 
186. Then, the usage monitor 186 manages the pur- 
chase mode and the usage mode of the content based 
on the usage control policy data 1 06. 
[0556] Step SN4: The charge processor 1 87 decides 
whetheror notthe control signal SI 65 indicating the trial 
listening mode is generated by the operation of the pur- 
chase/usage mode determination controller 165 of Fig. 
16 by the user, performs the processing of step SN55 
when it decides it is generated, and performs the 
processing of step SN6 when it is not generated. 
[0557] Step SN5: When the trial listening mode is se- 
lected by the user, the content data C of the content file 
CF already decrypted by the session key data Kqes, ^he 
content key data Kc stored in the stack memory 200, the 
semi-disclosure parameter data 199, and the user wa- 
termark data 1 96 obtained from the usage control policy 
data 1 06 are output to the reproduction module 270 via 
the decryption/decompression module manager 184 
shown in Fig. 36 after the mutual authentication. Then, 
the reproduction module 270 reproduces the content 
data C corresponding to the trial listening mode. 
[0558] Step SN6: The purchase and/or usage mode 
of the content is determined by the operation of the pur- 
chase/usage determination controller 1 65 shown in Fig. 
36 by the user, then the control signal SI 65 in accord- 
ance with the related determination is output to the 
charge processor 187. 

[0559] Step SN7: The charge processor 187 gener- 
ates the usage control status data 1 66 and the usage 
log data 108 in accordance with the determined pur- 
chase and/or usage mode and writes this into the stack 
memory 200 and the external memory 201 . 
[0560] Step SN8: For example, the key file KF^ shown 
in Fig. 29B storing the usage control status data 166 
read from the stack memory 200 is generated, then this 
is output to the encryptor/decryptor 173. 
[0561] Step SN9: The encryptor/decryptor 173 se- 
quentially encrypts the data by using the storage key 
data KgTR, media key data ^^^^2^ and the purchaser 
key data Kp\^ read from the storage unit 1 92 and outputs 
it to the media SAM manager 1 97. 
[0562] Step SN10: The media SAM manager 197 
writes the key file KF-, into the RAM region 251 or the 
media SAM 252 of the RAM type storage media 250 by 
the storage module 271 shown in Fig. 36. 
[0563] Further, the usage control status data 1 66 and 
the usage log data 1 08 are transmitted to the EM D serv- 
ice center 1 02 at the predetermined timing. 
[0564] Below, an explanation will be made of the 



method of realization of the SAMs 1 05-, to 1064. 
[0565] When realizing the functions of the SAMs 1 05^ 
to 1 054 as hardware, by using an ASIC type CPU includ- 
ing a memory, data having a high degree of secrecy 
5 such as the security functional module for realizing the 
functions shown in Fig. 1 7, the program module for per- 
forming the right clearing of the content, and the key da- 
ta are stored in that memory. A series of right clearing 
use program modules such as an encryption library 
module (public key code, common key code, random 
number generator, hush function), a program module for 
the usage control of the content, and a program module 
of the charge processing are mounted as for example 
software. 

[0566] For example, a module such as the encryptor/ 
decryptor 1 71 shown in Fig. 1 7 is installed as an IP core 
in the ASIC type CPU as hardware due to the problem 
of for example processing speed. Depending to the 
clock speed or performance of CPU code system etc., 
it is also possible to install the encryptor/decryptor 171 
as software. 

[0567] Further, as the storage unit 192 shown in Fig. 
17, the program module for realizing the functions 
shown in Fig. 17, and the memory for storing the data, 
use is made of for example a nonvolatile memory (flash- 
ROM), while as the working memory, a high speed wri- 
table memory such as an SRAM is used. Note that, other 
than them, as the memory included in the SAMs 105^ 
to 1 054, it is also possible to use a ferroelectric memory 
(FeRAM). 

[0568] Further, the SAMs 105^ to 1064 include, other 
than the above, a clock function used for the verification 
of the date in the term of validity and the contract period 
etc. for the usage of the content. 
[0569] As mentioned above, the SAMs 105-, to IO54 
have tamper resistant structures shutting off the pro- 
gram module, data, and the processing content from the 
outside. In order to prevent the program and content of 
data having high secrecy stored in the memory inside 
the IC of the related SAM or the values of the group of 
registers and the encryption library related to the system 
configuration of the SAMs or the group of registers of 
the clock from being read and newly written via the bus 
of the host CPU of the apparatuses with the SAMs 1 05-, 
to 1 064 mounted thereon, that is, in order to prevent the 
host CPU of the mounted apparatus from accessing the 
allocated address space, each SAM sets an address 
space not visible from the host CPU of the mounted ap- 
paratus side using an MMU (memory management unit) 
for managing the memory space on the CPU side. 
[0570] Further, the SAMs 105^ to IO54 have struc- 
tures durable also against X-rays or heats or other phys- 
ical attack from the outside and further have structures 
whereby even if real-time debugging (reverse engineer- 
ing) using a debugging tool (hardware ICE, software 
ICE) or the like is carried out, the processing content 
cannot be understood or whereby a debugging tool per 
se cannot be used after the manufacture of ICs. 
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[0571] The SAMs 1 05-, to 1 064 themselves are usual 
ASIC type CPUs including memories in the hardware 
structure. Their functions depend on the software for op- 
erating the related CPUs, but they differ from the general 
ASIC type CPUs in the point that they have encryption 
functions and tamper resistant hardware structures. 
[0572] When realizing all of the functions of the SAMs 
105^ to 1064 by software, there is the case where the 
software processing is carried out by enclosing the 
same inside a module having tamper resistance and the 
case where they are achieved by software processing 
on the host CPU mounted on a usual set and contriv- 
ances made to make deciphering impossible at only the 
time of the related processing. The former is the same 
as the case where the encryption library module is 
stored in the memory not as an IP core, but as a usual 
software module and can be considered similar to the 
case where it is realized as hardware. On the other 
hand, the latter is referred to as tamper resistant soft- 
ware whereby even if the state of execution can be de- 
ciphered by an ICE (debugger), the sequence of execu- 
tion of a task is scattered (in this case, the task is cut so 
that each cut task piece has meaning as a program, that 
is, there is no influence upon the lines before and after 
that) or the task per se is encrypted and can be realized 
in the same way as a task scheduler (MiniOS) aimed at 
one type of secure processing. The related task sched- 
uler is buried in the target program. 
[0573] Next, an explanation will be made of the de- 
cryption/decompression module 163 shown in Fig. 16. 
[0574] As shown in Fig. 16, the decryption/decom- 
pression module 163 has the mutual authenticator 220, 
decryptor 221 , decryptor 222, decompression unit 223, 
electronic watermark information processor 224, and 
semi-disclosure processor 225. 

[0575] The mutual authenticator 220 performs the 
mutual authentication with the mutual authenticator 1 70 
shown in Fig. 26 and generates the session key data 
KsEs when the decryption/decompression module 163 
receives as its input the data from the SAM 1 05-,. 
[0576] The decryptor 221 decrypts the content key 
data Kc, semi-disclosure parameter data 1 99, user wa- 
termark data 196, and content data C input from the 
SAM 105-1 by using the session key data Kq^q. Then, 
the decryptor 221 outputs the decrypted content key da- 
ta Kc and the content data C to the decryptor 222, out- 
puts the decrypted user watermark data 1 96 to the elec- 
tronic watermark information processor 224, and out- 
puts the semi-disclosure parameter data 199 to the 
semi-disclosure processor 225. 

[0577] The decryptor 222 decrypts the content data C 
in the semi-disclosure state by using the content key da- 
ta Kc under the control of the semi-disclosure processor 
225 and outputs the decrypted content data C to the de- 
compression unit 223. 

[0578] The decompression unit 223 decompresses 
the decrypted content data C and outputs the same to 
the electronic watermark information processor 224. 



[0579] The decompression unit 223 performs the de- 
compression processing by using the A/V decompres- 
sion software stored in the content file CF shown in Fig. 
4A and performs the decompression processing by for 

5 example the ATRAC3 method. 

[0580] The electronic watermark information proces- 
sor 224 buries the user watermark in accordance with 
the decrypted user watermark data 1 96 in the decrypted 
content data C to generate new content data C. The 

10 electronic watermark information processor 224 outputs 
the related new content data C to the reproduction mod- 
ule 169. 

[0581 ] In this way, the user watermark is buried at the 
decryption/decompression module 163 when reproduc- 
es ing the content data C. 

[0582] Note that, in the present invention, it is also 
possible that the user watermark data 1 96 not be buried 
in the content data C. 

[0583] The semi-disclosure processor 225 indicates 
20 the blocks not to be decrypted and the blocks to be de- 
crypted in for example the content data C to the decryp- 
tor 222 based on the semi-disclosure parameter data 
199. 

[0584] Further, the semi-disclosure processor 225 
25 performs control to for example limit the reproduction 

function at the time of trial listening or limit the possible 
listening period based on the semi-disclosure parame- 
ter data 199. 

[0585] The reproduction module 1 69 performs the re- 
30 production in accordance with the decrypted and de- 
compressed content data C. 

[0586] Next, an explanation will be made of the data 
format when transferring data with the signature data 
generated by using the secret key data attached thereto 
35 and public key certificate data among the content pro- 
vider 101, EMD service center 1 02, and user home net- 
work 1 03. 

[0587] Figure 42A is a view for explaining the data for- 
mat for the case where the data Data is transmitted from 
40 the content provider 1 01 to the SAM 1 05-, by the in-band 
method. 

[0588] In this case, a module ModgQ encrypted by the 
session key data K^^q obtained by the mutual authen- 
tication between the content provider 101 and the SAM 
45 1 05^ is transmitted from the content provider 1 01 to the 
SAM 105^. 

[0589] The module Modgg stores a module Mod5-| and 
the signature data SIGqp based on the secret key data 
Kqp3 thereof. 

50 [0590] The module Modg^ stores the public key cer- 
tificate data CERqp storing the secret key data Kqp p of 
the content provider 1 01 , the signature data SIG^sc 
tained based on the secret key data K^sc.s with respect 
to the public key certificate data CERqp, and the data 

55 Data to be transmitted. 

[0591] In this way, by transmitting the module Modgg 
storing the public key certificate data CERqp from the 
content provider 101 to the SAM 105^, when verifying 
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the signature data SIGqp at the SAM 1 05^ , it becomes 
unnecessary to transmit the public key certificate data 
CERcp from the EMD service center 102 to the SAM 
105i. 

[0592] Figure 42B and Fig. 42C are views for explain- 
ing the data format in the case of transmitting the data 
Data from the content provider 1 01 to the SAM 1 05^ by 
the out-of-band method. 

[0593] In this case, a module Mod52 shown in Fig. 42B 
encrypted by the session key data Kg^s obtained by the 
mutual authentication between the content provider 1 01 
and the SAM 105^ is transmitted from the content pro- 
vider 101 to the SAM 105^. 

[0594] The module Mod52 stores the data Data to be 
transmitted and the signature data SIGqp based on the 
secret key data Kqpq thereof. 

[0595] Further, a module Modgg shown in Fig. 42C en- 
crypted by the session key data Kg^g obtained by the 
mutual authentication between the EMD service center 
102 and the SAM 105^ is transmitted from the EMD 
service center 1 02 to the SAM 1 05^. 
[0596] The module Modgg stores the public key cer- 
tificate data CERqp of the content provider 1 01 and the 
signature data SIG^sq based on the secret key data 
Kesc.s thereof. 

[0597] Figure 42D is a view for explaining the data for- 
mat of the case where the data Data is transmitted from 
the SAM 1 05^ to the content provider 1 01 by the in-band 
method. 

[0598] In this case, a module Mod54 encrypted by the 
session key data Kg^s obtained by the mutual authen- 
tication between the content provider 1 01 and the SAM 
1 05^ is transmitted from the SAM 1 05^ to the content 
provider 101 . 

[0599] The module Mod54 stores a module Modgg and 
the signature data SIGsami based on the secret key da- 
ta KsAMi.s thereof. 

[0600] The module Modgg stores the public key cer- 
tificate data CER3AM1 storing the secret key data 
KsAMi,p of the SAM 105-,, the signature data SIG^gQ 
based on the secret key data K^gQ g with respect to pub- 
lic key certificate data CERqami, and the data Data to 
be transmitted. 

[0601] In this way, by transmitting the module Mod55 
storing the public key certificate data CERsami ^''^m the 
SAM 105-, to the content provider 101, when verifying 
the signature data SIGqami '"^ the content provider 1 01 , 
it becomes unnecessary to transmit the public key cer- 
tificate data CERsami ^^^^ the EMD service center 1 02 
to the content provider 1 01 . 

[0602] Figure 42E and Fig. 42F are views for explain- 
ing the data format when transmitting the data Data from 
the SAM 1 05^ to the content provider 1 01 by the out-of- 
band method. 

[0603] In this case, a module Modsg shown in Fig. 42E 
encrypted by the session key data Kg^s obtained by the 
mutual authentication between the content provider 1 01 
and the SAM 1 05^ is transmitted from the SAM 1 05^ to 



the content provider 1 01 . 

[0604] The module Modgg stores the data Data to be 
transmitted and the signature data SIGsami based on 
the secret key data Ksami,s thereof. 
5 [0605] Further, a module Mod57 shown in Fig. 42F en- 
crypted by a session key data Kses obtained by the mu- 
tual authentication between the EMD service center 1 02 
and the content provider 101 is transmitted from the 
EMD service center 1 02 to the content provider 1 01 . 
[0606] The module Mod57 stores the public key cer- 
tificate data CERsami ^^M 105^ and the signa- 
ture data SIG^sc based on the secret key data K^sc.s 
thereof. 

[0607] Figure 43A is a view for explaining the data for- 
mat when transmitting the data Data from the content 
provider 101 to the EMD service center 102 by the in- 
band method. 

[0608] In this case, a module Modgg encrypted by the 
session key data Kses obtained by the mutual authen- 
tication between the content provider 101 and the EMD 
service center 102 is transmitted from the content pro- 
vider 101 to the EMD service center 102. 
[0609] The module Mod58 stores a module Modgg and 
the signature data SIGqp based on the secret key data 
Kqpq thereof. 

[0610] The module Modsg stores the public key cer- 
tificate data CERqp storing the secret key data Kqp p of 
the content provider 101, the signature data SIG^sc 
based on the secret key data K^sc.s ^^^^ respect to pub- 
lic key certificate data CERqp, and the data Data to be 
transmitted. 

[061 1] Figure 43B is a view for explaining the data for- 
mat when transmitting the data Data from the content 
provider 1 01 to the EMD service center 1 02 by the out- 
of-band method. 

[0612] In this case, a module ModgQ shown in Fig. 43B 
encrypted by the session key data Kses obtained by the 
mutual authentication between the content provider 1 01 
and the EMD service center 102 is transmitted from the 
content provider 101 to the EMD service center 102. 
[0613] The module Modgg stores the data Data to be 
transmitted and the signature data SIGqp based on the 
secret key data Kqps thereof. 

[0614] At this time, the public key certificate data 
CERqp of the content provider 101 has been already 
registered in the EMD service center 102. 
[061 5] Figure 43C is a view for explaining the data for- 
mat when transmitting the data Data from the SAM 1 05^ 
to the EMD service center 102 by the in-band method. 
[0616] In this case, a module Modgi encrypted by the 
session key data Kses obtained by the mutual authen- 
tication between the EMD service center 102 and the 
SAM 105^ is transmitted from the SAM 105^ to the EMD 
service center 102. 

[061 7] The module Modgi stores a module Modgg and 
the signature data SIGsami based on the secret key da- 
ta KsAMi, 8 thereof. 

[0618] The module Modgg stores the public key cer- 
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tificate data CERs^^^-, storing the secret key data 
KsAMi,p of SAM 105-1, the signature data SIG^sc 
based on the secret l^ey data K^sc.s with respect to pub- 
lic l^ey certificate data CERsami' ^"^^I the data Data to 
be transmitted. 5 
[061 9] Figure 43D is a view for explaining the data for- 
mat when transmitting the data Data from the SAM 1 05^ 
to the EMD service center 1 02 by the out-of-band meth- 
od. 

[0620] In this case, a module Modgg shown In Fig. 43D io 
encrypted by the session key data Kqes obtained by the 
mutual authentication between the EMD service center 
1 02 and the SAM 1 05^ is transmitted from the SAM 1 05-, 
to the EMD service center 102. 

[0621] The module Modgg stores the data Data to be 15 
transmitted and the signature data SIGg^i^^ based on 
the secret key data Kqami ,s thereof. 
[0622] At this time, the public key certificate data 
CERsami of the SAM 105^ has been already registered 
in the EMD service center 102. 20 
[0623] Below, an explanation will be made of the 
processing for registration at the EMD service center 
1 02 at the time of shipping of the SAMs 1 05^ to 1 064. 
[0624] Note that, the processing for registration of the 
SAMs 105-1 to 1054 is the same, so the processing for 25 
registration of the SAM 105-| will be explained below. 
[0625] At the time of shipping of the SAM 105-,, the 
key data shown below is initially registered in the stor- 
age unit 1 92 shown in Fig. 1 7 etc. via the SAM manager 
149 by the key server 141 of the EMD service center 30 
102 shown in Fig. 11 . 

[0626] Further, the SAM 105^ stores in the storage 
unit 192 etc., for example, at the time of shipping, the 
program etc. used when the SAM 105.| accesses the 
EMD service center 1 02 the first time. 35 
[0627] Namely, the storage unit 1 92 stores, for exam- 
ple, the identifier SAMJD of the SAM 1 05^ given the 
on the left side in Fig. 21 , the storage key data Kstr> the 
public key data Kr.q^ of the route certificate authority 2, 
the public key data K^scp of the EMD service center 40 
102, the secret key data Ksami.s of the SAM 105-,, the 
public key certificate data CERqami ^^e signature 
data SIG22, ESC thereof, and the original key data for cre- 
ating the authentication use key data between the de- 
cryption/decompression module 163 and the media 45 
SAM at the time of initial registration. 
[0628] Note that, it is also possible to transmit the pub- 
lic key certificate data CERsami ^''oiti the EMD service 
center 1 02 to the SAM 1 05-, when registering the same 
after the shipping of the SAM 105-,. 50 
[0629] Here, the public key data KR-CA of the route 
certificate authority 2 uses an RSA generally used in 
electronic business transactions over the Internet etc. 
and has a data length of for example 1 024 bits. The pub- 
lic key data Kr.qa is issued by the route certificate au- 55 
thority 2 shown in Fig. 1 . 

[0630] The public key data K^scp of the EMD service 
center 102 is generated by utilizing an elliptical curve 
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code having a short data length and a strength equiva- 
lent to the RSA or more and has a data length of for 
example 160 bits. Note that when considering the 
strength of the encryption, desirably the public key data 
K^sc p bits or more. Further, the EMD service 

center 102 registers the public key data K^sc.p '"^ ^^e 
route certificate authority 92. 

[0631] Further, the route certificate authority 92 gen- 
erates the public key certificate data C ER^sc of the pub- 
lic key data K^sc,p- '^^^ public key certificate data 
CER^sc storing the public key data K^scp preferably 
stored in the storage unit 192 at the time of shipping of 
the SAM 1 05-1 . In this case, the public key certificate da- 
ta CER^sc is signed by the secret key data Krqqjs of 
the route certificate authority 92. 
[0632] The EMD service center 1 02 generates a ran- 
dom number to generate the secret key data Ksami ,s of 
the SAM 1 and generates the public key data Ksami, p 
forming the pair together with this. 
[0633] Further, the EMD service center 102 is given 
the authentication of the route certificate authority 92, 
issues the public key certificate data CERqami of the 
public key data Kqami P' attaches the signature data 
to this by using its own secret key data K^sc s- Namely, 
the EMD service center 1 02 achieves the function of the 
second CA (certificate authority). 
[0634] Further, the SAM 105-, is allocated a unique 
identifier SAMJD under the management of the EMD 
service center 1 02 by the SAM manager 1 49 of the EM D 
service center 1 02 shown in Fig. 1 1 . This is stored in the 
storage unit 1 92 of the SAM 1 05-, and, at the same time, 
stored also in the SAM database 149a shown in Fig. 11 
and managed by the EMD service center 102. 
[0635] Further, the SAM 105-, is connected to the 
EMD service center 102 by for example the user after 
shipping for the registration procedure. At the same 
time, the distribution use public key data KD-, to KD3 are 
transferred from the EMD service center 1 02 to the stor- 
age unit 192. 

[0636] Namely, the user utilizing the SAM 105-, must 
perform the registration procedure at the EMD service 
center 102 before downloading the content. This regis- 
tration procedure is performed off-line by for example 
mail by the user entering information identifying itself us- 
ing for example a registration form attached when pur- 
chasing the apparatus with the SAM 1 05-, mounted ther- 
eon (in the related example, the network apparatus 
I6O1). 

[0637] The SAM 1 05-, cannot be used until the regis- 
tration procedure is passed. 

[0638] The EMD service center 102 issues the iden- 
tifier USERJD unique to the user in accordance with 
the registration procedure of the SAM 1 05-, by the user, 
manages the correspondence between the SAMJD 
and the USER_ID in for example the SAM database 
149a shown in Fig. 11 , and utilizes the same at the time 
of charging. 

[0639] Further, the EMD service center 1 02 allocates 
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the information reference use identifier ID and the pass- 
word used at the first time to the user of the SAM 1 05-| 
and notifies these to the user. The user can inquired 
about information for example the state of usage (usage 
log) of the content data up to the present at the EMD 5 
service center 102 by using the information reference 
use identifier ID and the password. 
[0640] Further, the EMD service center 102 confirms 
the ID at the credit card company or the like and confirms 
the user off-line at the time of registration. io 
[0641] Next, as shown in Fig. 21, an explanation will 
be made of the procedure for storing the SAM registra- 
tion list in the storage unit 192 inside the SAM 105-,. 
[0642] The SAM 105^ shown in Fig. 1 acquires the 
SAM registration list of the SAMs 1 05^ to IO54 present 15 
in its own system by utilizing a topology map generated 
when starting up the power of the apparatus connected 
to the bus 1 91 or connecting a new apparatus to the bus 
191 when using for example an IEEE 1394 serial bus 
as the bus 191. 20 
[0643] Note that, the topology map generated in ac- 
cordance with the IEEE 1394 serial bus, that is, the bus 
191, is generated to cover the SAMs 1 05^ to 1 664 and 
the SCMS processing circuits 1065 and lOSg when, for 
example, as shown in Fig. 44, in addition to the SAM 25 
105-1 to 1054, the SCMS processing circuits IO55 and 
1 050 of the AV apparatuses 1 6O5 and 1 eOg are connect- 
ed to the bus 191. 

[0644] Accordingly, the SAM 105-, fetches the infor- 
mation for the SAMs 105-, to IO54 from the related to- 30 
pology map to generate the SAM registration list. 
[0645] The data format of the SAM registration list is 
shown in for example Fig. 45. 

[0646] Then, the SAM 1 05^ registers the related SAM 
registration list in the EMD service center 102 and ac- 35 
quires a signature. 

[0647] These processings are automatically carried 
out by the SAM 105-, by utilizing the session of the bus 
191. An instruction for registration of the SAM registra- 
tion list is issued to the EMD service center 102. 
[0648] The EM D service center 1 02 confirms the term 
of validity when receiving the SAM registration list 
shown in Fig. 45 from the SAM 105-,. Then, the EMD 
service center 1 02 sets up the corresponding portion by 
referring to the existence of the settlement function des- ^5 
ignated by the SAM 1 05., at the time of registration. Fur- 
ther, the EMD service center 1 02 checks the revocation 
list and sets a revocation flag in the SAM registration 
list. The revocation list is the list of the SAMs for which 
usage is prohibited (invalidated) by the EMD service 50 
center 1 02 for the reason of for example illicit usage. 
[0649] Further, the EMD service center 102 fetches 
the SAM registration list corresponding to the SAM 1 05-, 
at the time of settlement and confirms if the SAM de- 
scribed therein is contained in the revocation list. Fur- 55 
ther, the EMD service center 102 attaches a signature 
to the SAM registration list. 

[0650] Note that the SAM revocation list is generated 
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covering only the SAMs of the identical system (con- 
nected to the identical bus 1 91 ) and that the validity and 
invalidity of the related SAM are indicated by the revo- 
cation flag corresponding to each SAM. 
[0651] Below, an explanation will be made of the over- 
all operation of the content provider 1 01 shown in Fig. 1 . 
[0652] Figure 46 is a flowchart of the overall operation 
of the content provider 1 01 . 

[0653] Step S1 : The EMD service center 102 trans- 
mits the public key certificate data CERqp of the public 
key data Kqp of the content provider 1 01 to the content 
provider 101 after the content provider 101 passes 
through the predetermined registration processing. 
[0654] Further, the EMD service center 1 02 transmits 
the certificate CERqp-, to CERqp4 of the public key data 
^SAMi.P *o ^^SAM4,P of SAMs 105-1 to 1 064 to the 
SAMs 105-, to 1054 after the SAMs 105^ to 1064 pass 
through the predetermined registration processing. 
[0655] Further, the EMD service center 1 02 transmits 
six months' worth of the distribution key data KD-, to KDg 
each having a term of validity of one month to the con- 
tent provider 101 after the mutual authentication and 
transmits three months' worth of the distribution key da- 
ta KD-, to KD3 to the user home network 1 03. 
[0656] In this way, the EMD system 1 00 distributes the 
distribution key data KD^ to KD3 to the SAMs 105-, to 
1054 in advance, therefore, even in the case where the 
SAMs 105-, to 1054 are off-line from the EMD service 
center 102, the secure container 104 distributed from 
the content provider 101 can be decrypted and pur- 
chased and used in the SAMs 1 05-, to 1 054. In this case, 
the log of the related purchase and/or usage is de- 
scribed in the usage log data 1 08. The usage log data 
108 is automatically transmitted to the EMD service 
center 1 02 when the SAMs 1 05-, to 1 054 and the EM D 
service center 1 02 are connected. Therefore, the settle- 
ment processing in the EMD service center 102 can be 
reliably carried out. Note that the SAMs for which the 
usage log data 108 cannot be collected by the EMD 
service center 102 in a predetermined period are inval- 
idated by the revocation list. 

[0657] Note that the usage control status data 1 66 is 
transmitted from the SAMs 105-, to IO54 to the EMD 
service center 102 in real-time in principle. 
[0658] Step S2: The content provider 101 transmits 
the right registration request module Mod2 shown in Fig. 
7A to the EMD service center 102 after the mutual au- 
thentication. 

[0659] Then, the EMD service center 102 registers 
and authorizes the usage control policy data 106 and 
the content key data Kc after the predetermined signa- 
ture verification. 

[0660] Step S3: The content provider 101 performs 
the encryption by using the distribution key data KD., to 
KDg of the corresponding period etc., generates the 
content file CF and the key file KF shown in Figs. 4A 

and 4B, and distributes the secure container 1 04 storing 
them and public key certificate data CERqp shown in 
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Fig. 4C to the user home network 1 03 on-line and/or off- 
line. 

[0661] Step S4: The SAMs 105^ to 1064 of the user 
home network 1 03 decrypt the secure container 1 04 by 
using the distribution key data KD^ to KD3 of the corre- 
sponding period etc., verify the signature etc. for verify- 
ing the legitimacy of the creator and the transmitter of 
the secure container 104, and confirm whether or not 
the secure container 104 was transmitted from a legiti- 
mate content provider 1 01 . 

[0662] Step S5: The SAMs 105^ to 1064 determine 
the purchase and/or usage mode based on the control 

signal SI 65 in accordance with the operation of the pur- 
chase/usage mode determination controller 165 shown 
in Fig. 1 6 by the user. 

[0663] At this time, the usage monitor 186 shown in 
Fig. 23 manages the purchase and/or usage mode of 
the content file CF by the user based on the usage con- 
trol policy data 106 stored in the secure container 104. 
[0664] Step S6: The charge processor 187 shown in 
Fig. 23 of each of the SAMs 1 05-| to 1 064 generate the 
usage log data 1 08 and the usage control status data 
1 66 describing the operation of the settlement of the pur- 
chase and/or usage mode by the user based on the con- 
trol signal SI 65 and transmits the same to the EMD 
service center 1 02. 

[0665] Step S7: The EMD service center 102 per- 
forms the settlement processing based on the usage log 
data 108 in the settlement processor 142 shown in Fig. 
1 1 and generates the settlement claim data 1 52 and the 
settlement report data 107. The EMD service center 102 
transmits the settlement claim data 152 and the signa- 
ture data SIGqs thereof via the payment gateway 90 
shown in Fig. 1 to the settlement organization 91. Fur- 
ther, the EMD service center 102 transmits the settle- 
ment report data 1 07 to the content provider 1 01 . 
[0666] Step S8: The settlement organization 91 veri- 
fies the signature data SIGgs, then distributes the money 
paid by the user to the owner of the content provider 1 01 
based on the settlement claim data 152. 
[0667] As explained above, the EM D system 1 00 dis- 
tributes the secure container 1 04 of the mode shown in 
Fig. 4 from the content provider 101 to the user home 
network 1 03and performs the processing for the key file 
KF in the secure container 104 in the SAMs 105^ to 
1054. 

[0668] Further, the content key data Kc and the usage 
control policy data 106 stored in the key file KF are en- 
crypted by using the distribution key data KD-, to KD3 
and are decrypted inside only the SAMs 105-, to IO54 
holding the distribution key data KD-, to KD3. Then, the 
SAMs 105-1 to 1054 determine the purchase mode and 
the usage mode of the content data C based on the han- 
dling content of the content data C described in the us- 
age control policy data 106 which a module having 
tamper resistance. 

[0669] Accordingly, according to the EMD system 
100, the purchase and usage of the content data C in 



the user home network 103 can be reliably carried out 
based on the content of the usage control policy data 
1 06 generated by the related parties of the content pro- 
vider 101. 

5 [0670] Further, the EMD system 100 enables com- 
mon right clearing of the content data C in the SAMs 
1 05^ to 1 054 both on-line and off-line by distributing the 
content data C from the content provider 1 01 to the user 
home network 1 03 by using the secure container 1 04 in 

10 both cases. 

[0671] Further, the EMD system 100 enables use of 
common right clearing rules when purchasing, using, 
storing, and transferring the content data C in the net- 
work apparatus 160^ and the AV apparatuses I6O2 to 

^5 I6O4 in the user home network 103 by performing 
processing always based on the usage control policy 
data 106. 

First Modification of First Embodiment 

20 

[0672] In the above embodiment, as shown in Fig. 4B, 
the case where the key file KF was encrypted by using 
the distribution key data KD in the content provider 101 
and where the key file KF was decrypted by using the 

25 distribution key data KD in the SAMs 1 05-, to 1 054 was 
illustrated, but the encryption of the key file KF using the 
distribution key data KD is not always necessary when 
the secure container 104 is directly supplied from the 
content provider 1 01 to the SAMs 1 05^ to 1 054 as shown 

30 in Fig. 1. 

[0673] In this way, the encryption of the key file KF by 
using the distribution key data KD exhibits a large effect 
when suppressing illegal action by the service provider 
by giving the distribution key data KD to only the content 
35 provider and the user home network when supplying 
content data from the content provider to the user home 
network via the service provider as in the second em- 
bodiment mentioned later. 

[0674] Note that in the case of the first embodiment 
40 as well, the encryption of the key file KF by using the 
distribution key data KD is effective in the point of im- 
proving the ability to suppress illicit usage of the content 
data. 

[0675] Further, in the above embodiment, the case 
45 where the suggested retailer' price data SRP was stored 
in the usage control policy data 106 in the key file KF 
shown in Fig. 4B was illustrated, but it is also possible 
to store the suggested retailer' price data SRP (price tag 
data) other than the key file KF in the secure container 
50 1 04. In this case, the signature data generated by using 
the secret key data Kqp is attached to the suggested 
retailer' price data SRP. 

Second Modification of First Embodiment 

55 

[0676] In the first embodiment, as shown in Fig. 1 , the 
case where the EMD service center 102 performs the 
settlement processing in the settlement organization 91 
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via the payment gateway 90 by using tine settlement 
claim data 152 generated by an apparatus itself was il- 
lustrated, but it is also possible to transmit for example 
the settlement claim data 152 from the EMD service 
center 1 02 to the content provider 1 01 as shown in Fig. 5 
47 and have the content provider 1 01 itself perform the 
settlement processing with respect to the settlement or- 
ganization 91 via the payment gateway 90 by using the 
settlement claim data 152. 

10 

Third Modification of First Embodiment 

[0677] In the above first embodiment, the case where 
the secure container 104 was supplied from the single 
content provider 101 to the SAMs 105-, to IO54 of the 15 
user home network 1 03 was illustrated, but it is also pos- 
sible to supply secure containers 104a and 104b from 
two or more content providers 101a and 101b to the 
SAMs 105i to 1054. 

[0678] Figure 48 is a view of the configuration of the 20 
EMD system according to a third modification of the first 
embodiment where the content providers 101a and 
101b are used. 

[0679] In this case, the EMD service center 102 dis- 
tributes six months' worth of distribution key data KD^^ 25 
to KD36 ^"^ci KDbi to KD|36 to the content providers 1 01 a 
and 101b. 

[0680] Further, the EMD service center 102 distrib- 
utes three months' worth of the distribution key data 
KD31 to KD33 and KDbi to KD^g to the SAMs 105^ to 30 
1054. 

[0681] Further, the content provider 101 a supplies the 
secure container 104a storing a content file CFa en- 
crypted by using a unique content key data Kca and a 
key file KFa encrypting the content key data Kca and a 35 
usage control policy data 106a etc. by using the distri- 
bution key data KD^^ to KD^e of the corresponding pe- 
riod to the SAMs 105-, to IO54 on-line and/or off-line. 
[0682] At this time, as the identifier of the key file, use 
is made of the global unique identifier ContentJD dis- 40 
tributed by the EMD service center 102. The content da- 
ta is centrally managed by the EMD service center 1 02. 
[0683] Further, the content provider 1 01 b supplies the 
secure container 104b storing a content file CFb en- 
crypted by using unique content key data Kcb and a key ^5 
file KFb encrypting the content key data Kcb and usage 
control policy data 106b etc. by using the distribution 
key data KD,^^ to KDj^g of the corresponding period to 
the SAMs 1 05-1 to 1 054 on-line and/or off-line. 
[0684] The SAMs 105-, to IO54 decrypt the secure 50 
container 104a by using the distribution key data KD^^ 
to KD^3 of the corresponding period, determine the pur- 
chase mode of the content after the predetermined sig- 
nature verification processing etc., and transmit usage 
log data 1 08a and usage control status data 1 66a gen- 55 
e rated in accordance with the related determined pur- 
chase mode and usage mode to the EMD service center 
102. 



[0685] Further, the SAMs 1 05-, to 1 054 decrypt the se- 
cure container 104b by using the distribution key data 
KDbi to KDb3 of the corresponding period, determine the 
purchase mode of the content after the predetermined 
signature verification processing etc., and transmit us- 
age log data 108b and usage control status data 166b 
generated in accordance with the related determined 
purchase mode and usage mode to the EMD service 
center 102. 

[0686] The EM D service center 1 02 generates settle- 
ment claim data 152a for the content provider 101a 
based on the usage log data 1 08a and performs the set- 
tlement processing with respect to the settlement organ- 
ization 91 by using this. 

[0687] Further, the EM D service center 1 02 generates 
settlement claim data 1 52b for the content provider 101b 
based on the usage log data 1 08b and performs the set- 
tlement processing with respect to the settlement organ- 
ization 91 by using this. 

[0688] Further, the EMD service center 1 02 performs 
the authorization by registering the usage control policy 
data 1 06a and 1 06b. At this time, the EMD service cent- 
er 102 distributes the global unique identifier 
Content_ID with respect to the key files KFa and KFb 
corresponding to the usage control policy data 1 06a and 
106b. 

[0689] Further, the EMD service center 102 issues 
public key certificate data CERQpa and CERQpb of the 
content providers 101a and 101b and attaches its own 
signature data SIGi^^sq and SIG-i^^sq to them to cer- 
tify the legitimacy. 

Second Embodiment 

[0690] In the above embodiment, the case where the 
content data was directly distributed from the content 
provider 1 01 to the SAMs 1 05^ to 1 054 of the user home 
network 103 was illustrated, but in the present embodi- 
ment, an explanation will be made of the case of distrib- 
uting the content data provided by the content provider 
to the SAM of the user home network via the service 
provider. 

[0691] Figure 49 is a view of the configuration of an 
EMD system 300 of the present embodiment. 
[0692] As shown in Fig. 49, the EMD system 300 has 
a content provider 301, an EMD service center 302, a 
user home network 303, a service provider 310, a pay- 
ment gateway 90, and a settlement organization 91 . 
[0693] The content provider 301 , EMD service center 
302, SAMs 105-1 to IO54, and service provider 310 cor- 
respond to the data providing apparatus, management 
apparatus, data processing apparatus, and data distri- 
bution apparatus of the present invention. 
[0694] The content provider 301 is the same as the 
content provider 1 01 of the first embodiment except for 
the point that it supplies the content data to the service 
provider 31 0. 

[0695] Further, the EMD service center 302 is the 
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same as the EMD service center 1 02 of the first embod- 
iment except for the point that the authentication func- 
tion, key data management function, and right clearing 
function are provided also with respect to the service 
provider 31 0 in addition to the content provider 1 01 and 5 
SAMs 505^ to 5064. 

[0696] Further, the user home network 303 has a net- 
work apparatus 360-, and AV apparatuses 36O2 to 36O4. 
The network apparatus 3601 includes a SAM 305^ and 
a CA module 311, while the AV apparatuses 36O2 to 10 
36O4 include the SAMs 3052 ^05^. 
[0697] Here, the SAMs 305^ to 3064 are the same as 
the SAMs 105-1 to IO54 of the first embodiment except 
for the point that they receive the distribution of a secure 
container 304 from the service provider 310 and the 15 
point that they perform the verification processing of the 
signature data and the preparation of an SP use pur- 
chase log data (data distribution apparatus use pur- 
chase log data) 309 for the service provider 310 in ad- 
dition to the content provider 301 . 20 
[0698] First, a brief explanation will be made of the 
EMD system 300. 

[0699] In the EMD system 300, the content provider 
301 transmits the usage control policy (UCP) data 106 
similar to that of the first embodiment mentioned before 25 
indicating the content of the right such as the license 
conditions of the content data C of the content to be pro- 
vided by itself to the authority manager having a high 
reliability, that is, the EMD service center 302. The us- 
age control policy data 106 is registered in the EMD 30 
service center 302 and authorized (certified). 
[0700] Further, the content provider 301 encrypts the 
content data C by the content key data Kc to generate 
the content file CF. Further, the content provider 301 en- 
crypts the content key data Kc and the usage control 35 
policy data 106 by using the distribution key data KD^ 
to KDq of the corresponding period distributed from the 
EMD service center 302 to generate the key file KF stor- 
ing them. Then, the content provider 301 supplies the 
secure container 1 04 storing the content file CF, key file 40 
KF, and its own signature data to the service provider 
310 by using the Internet or other network, a digital 
broadcast, storage medium, or an informal protocol or 
off-line or the like. 

[0701] When receiving the secure container 1 04 from ^5 
the content provider 301 , the service provider 31 0 veri- 
fies the signature data and confirms if the secure con- 
tainer 104 was generated by a legitimate content pro- 
vider 301 and the legitimacy of the sender. 
[0702] Next, the service provider 31 0 generates price 50 
tag data (PT) 31 2 indicating the price obtained by adding 
the price of its service to the price (SRP) with respect to 
the content intended by the content provider 301 notified 
for example off-line. 

[0703] Then, the service provider 31 0 generates the 55 
secure container 304 storing the content file CF and key 

file KF fetched from the secure container 1 04, the price 
tag data 312, and the signature data by its own secret 



key data K3P 3 with respect to them. 
[0704] At this time, the key file KF is encrypted by the 
distribution key data KD^ to KDq, and the service pro- 
vider 31 0 does not hold the related distribution key data 
KD-i to KDg, therefore the service provider 310 cannot 
view or rewrite the content of the key file KF. 
[0705] Further, the EMD service center 302 registers 
and authorizes the price tag data 312. 
[0706] The service provider 31 0 distributes the secure 
container 304 to the user home network 303 on-line and/ 
or off-line. 

[0707] At this time, in the off-line case, the secure con- 
tainer 304 is supplied to the SAMs 305-, to 3054 as it is. 
On the other hand, in the on-line case, the mutual au- 
thentication is carried out between the service provider 
310 and the CA module 311, the secure container 304 
is encrypted by using the session key data Kqes '"^ the 
service provider 310 and transmitted, and the secure 
container 304 received at the CA module 31 1 is decrypt- 
ed by using the session key data Kses ^"^1 then trans- 
ferred to the SAMs 305^ to 3054. 
[0708] Next, the SAMs 305-, to 3054 decrypt the se- 
cure container 304 by using the distribution key data 
KD^ to KD3 of the corresponding period distributed from 
the EMD service center 302, then perform the verifica- 
tion processing of the signature data. 
[0709] The secure container 304 supplied to the 
SAMs 305-1 to 3054 is reproduced and stored in the stor- 
age medium after the purchase and/or usage mode is 
determined in accordance with the operation of the user 
in the network apparatus 360^ and the AV apparatuses 
36O2 to 36O4. 

[0710] The SAMs 305i to 3054 store the log of the pur- 
chase and/or usage of the secure container 304 as the 
usage log data 308. 

[0711] The usage log data (log data or the manage- 
ment apparatus use log data) 308 is transmitted from 
the user home network 303 to the EMD service center 
302 in response to for example a request from the EMD 
service center 302. 

[0712] The EMD service center 302 determines (cal- 
culates) the charge content for each of the content pro- 
vider 301 and the service provider 31 0 based on the us- 
age log data 308 and performs the settlement at the set- 
tlement organization 91 such as the bank via the pay- 
ment gateway 90 based on the results. By this, the mon- 
ey paid by the user of the user home network 103 is 
distributed to the content provider 101 and the service 
provider 31 0 by the settlement processing by the EMD 
service center 102. 

[0713] In the present embodiment, in the same way 

as the first embodiment, by providing the content data 
C of digital by encapsulation, value can be imparted to 
the digital content itself by separating the conventional 
digital content, which had been closely attached to the 
storage medium, from the storage medium. 
[0714] Here, the secure container is the most basic 
product capsule when selling the content data C (prod- 
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uct) no matter which distribution channel (delivery chan- 
nel) it is provided over. Specifically, the secure container 
is a product capsule containing the encryption informa- 
tion for the charging, the signature data for verifying the 
legitimacy of the content of the content data C, the le- 5 
gitimacy of the party preparing the content data, and the 
legitimacy of the distributor of the content data, and in- 
formation relating to the copyright such as the informa- 
tion concerning the electronic watermark information to 
be buried in the content data. io 
[0715] Further, in the present embodiment, the ElVID 
service center 302 has the certificate authority function, 
key data management function, and the right clearing 
(profit distribution) function. 

[0716] Namely, the EM D service center 302 plays the ^5 
role of the second certificate authority with respect to 
the highest authority manager at the neutral position, 
that is, the route certificate authority 92, and certifies the 
legitimacy of the related public key data by attaching the 
signature based on the secret key data of the ElVID serv- 20 
ice center 302 to public key certificate data of public key 
data to be used for the verification processing of the sig- 
nature data in the content provider 301 , service provider 
31 0, and the SAIVIs 305-, to 3064. Further, as mentioned 
before, the registration and authorization of the usage 25 
control policy data 106 of the content provider 301 and 
the price tag data 312 of the service provider 310 are 
achieved by the certificate authority function of the ElVID 
service center 302. 

[0717] Further, the EMD service center 302 has a key 30 
data management function for managing for example 
the key data of the distribution key data KD^ to KDq. 
[0718] Further, the EMD service center 3 02 has aright 
clearing (profit distribution) function of performing set- 
tlement with respect to the purchase and/or usage of the 35 
content by the user of the user home network 303 based 
on the usage control policy data 106 registered by the 
content provider 301 , the usage log data 308 input from 
the SAMs 305-1 to 3064, and the price tag data 312 reg- 
istered by the service provider 31 0 and distributing and 40 
paying the money paid by the user to the content pro- 
vider 301 and the service provider 310. 
[071 9] Below, the components of the content provider 
301 will be explained in detail. 

45 

[Content Provider 301] 

[0720] Figure 50 is a functional block diagram of the 
content provider 301 and shows the flow of the data re- 
lated to the data transferred with the service provider 50 
310. 

[0721] As shown in Fig. 50, the content provider 301 
has a content master source server 111, electronic wa- 
termark information adder 112, compressor 113, en- 
cryptor 114, random number generator 115, encryptor 55 
116, signature processor 117, secure container gener- 
ator 118, secure container database 118a, storage unit 
1 1 9, mutual authenticator 1 20, encryptor/decryptor 121, 



usage control policy data generator 122, EMD service 
center manager 125, and service provider manager 
324. 

[0722] In Fig. 50, components given the same refer- 
ences as those of Fig. 2 are the same as the compo- 
nents of the same references explained in the first em- 
bodiment by referring to Fig. 2 and Fig. 3. 
[0723] Namely, the content provider 301 has a config- 
uration providing the service provider manager 324 in 
place of the SAM manager 124 shown in Fig. 2. 
[0724] The service provider manager 324 provides 
the secure container 1 04 input from the secure contain- 
er generator 118 to the service provider 310 shown in 
Fig. 49 off-line and/or on-line. The secure container 104, 
in the same way as the first embodiment, stores the con- 
tent file CF and the signature data SIGg cp thereof, the 
key file KF and the signature data SIG7 Qp thereof, and 
the public key certificate data CERqp and the signature 
dataSIG. 

ESC thereof shown in Fig. 4A, Fig. 4B and Fig. 

4C. 

[0725] When distributing the secure container 1 04 to 
the service provider 310 on-line, the service provider 

manager 324 encrypts the secure container 1 04 by us- 
ing the session key data Kg^g in the encryptor/decryptor 
1 21 and then distributes the same via the network to the 
service provider 310. 

[0726] Further, the flow of the data in the content pro- 
vider 101 shown in Fig. 3 similarly applies also to the 
service provider 310. 

[Service Provider 310] 

[0727] The service provider 31 0 distributes the secure 
container 304 storing the content file CF and key file KF 
in the secure container 104 provided from the content 
provider 301 and the price tag data 312 generated by 
itself to the network apparatus 360^ and the AV appa- 
ratuses 36O2 to 36O4 of the user home network 303 on- 
line and/or off-line. 

[0728] The service modes of the distribution of con- 
tent by the service provider 31 0 may be roughly classi- 
fied into an independent service and a linked service. 
[0729] An independent service is for example a serv- 
ice exclusively for download for individually distributing 
the content. Further, a linked service is a service for dis- 
tributing content linked to a program and CM (advertise- 
ment). For example, content such as the theme song 
and insertion song of a drama is stored in the stream of 
the drama program. The user can purchase content 
such as the theme song and insertion song in the stream 
when watching the drama program. 
[0730] Figure 51 is a functional block diagram of the 
service provider 310. 

[0731] Note that, in Fig. 51 , the flow of the data when 
supplying the secure container 304 in accordance with 
the secure container 1 04 supplied from the content pro- 
vider 301 to the user home network 303 is shown. 
[0732] As shown in Fig. 51 , the service provider 31 0 
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has a content provider manager 350, a storage unit 351 , 
a mutual authenticator 352, an encryptor/decryptor 353, 
a signature processor 354, a secure container generator 
355, a secure container database 355a, a price tag data 
generator 356, a user liome network manager 357, an 
EMD service center manager 358, and a user prefer- 
ence filter creator 920. 

[0733] Below, an explanation will be made of the flow 
of the processing in the service provider 31 0 when cre- 
ating the secure container 304 from the secure contain- 
er 104 supplied from the content provider 301 and dis- 
tributing this to the user home network 303 by referring 
to Fig. 51 and Fig. 52. 

[0734] Figure 52 is a flowchart of the related process- 
ing. 

[0735] Step SZ1 : The content provider manager 350 
receives the supply of the secure container 104 shown 
in Fig. 4 from the content provider 301 on-line and/or 
off-line and writes the secure container 1 04 into the stor- 
age unit 351. 

[0736] At this time, the content provider manager 350 
decrypts the secure container 104 in the encryptor/de- 
cryptor 353 by using the session key data Kg^g obtained 
by the mutual authentication between the mutual au- 
thenticator 120 shown in Fig. 50 and the mutual authen- 
ticator 352 shown in Fig. 51 in the on-line case and then 
writes the same into the storage unit 351 . 
[0737] Step SZ2: The signature processor 354 veri- 
fies the signature data SIG-, shown in Fig. 4C of the 
secure container 104 stored in the storage unit 351 by 
using the public key data K^scp E\\/\D service 

center 302 read from the storage unit 351 and, after the 
legitimacy thereof is confirmed, fetches the public key 
data Kqp p from public key certificate data CERqp shown 
in Fig. 4C. 

[0738] Step SZ3: The signature processor 354 veri- 
fies the signature data SIGq cp and SIG7 Qp shown in 
Fig. 4A and Fig. 4B of the secure container 104 stored 
in the storage unit 351 by using the related fetched pub- 
lic key data Kqp p. 

[0739] Step S;Z4: The price tag data generator 356 
generates the price tag data 31 2 indicating the price ob- 
tained by adding the price of its own service to the price 
with respect to the content requested by the content pro- 
vider 301 notified from for example the content provider 
301 off-line and outputs this to the secure container gen- 
erator 355. 

[0740] Step SZ5: The signature processor 354 takes 
the hush values of the content file CF, key file KF, and 
price tag data 312, generates signature data SIG62,sP' 
SIGgg sp, and SIG64 sp by using a secret key data Ksp p 
of the service provider 31 0, and outputs the result to the 
secure container generator 355. 
[0741 ] Step SZ6: The secure container generator 355 
generates the secure container 304 storing the content 
file CF and the signature data SIG62,sp thereof, the key 
file KF and the signature data SIGgs esc thereof, the 
price tag data 312 and the signature data SIG54 SP 



thereof, and the public key certificate data CERgp and 
the signature data SIGg-i esc thereof shown in Fig. 53A 
to Fig. 53D and stores the same in the secure container 
database 355a. Then, the secure container generator 
5 355 reads the secure container 304 in response to a re- 
quest from the user home network 303 from the secure 
container database 355a and outputs the same to the 
user home network manager 357. 
[0742] At this time, the secure container 304 may be 
a composite container storing a plurality of content files 
CF and a plurality of key files KF corresponding to them 
too. For example, it is also possible to store a plurality 
of content files CF concerning music, a video clip, a lyric 
card, liner notes, and a jacket in a single secure con- 
tainer 304. It is also possible that these plurality of con- 
tent files CF etc. be stored in the secure container 304 
with a directory structure. 

[0743] Further, when the secure container 304 is 
transmitted by a digital broadcast, an MHEG (Multime- 
dia and Hypermedia Information Coding Experts Group) 
protocol is used, while when it is transmitted by the In- 
ternet, an XML/SMIL/HTML (Hyper Text Markup Lan- 
guage) protocol is used. 

[0744] At this time, the content file CF and the key file 
KF are centrally managed by the content provider 301 
and do not depend on the protocol for transmitting the 
secure container 304. Namely, the content file CF and 
the key file KF are stored in the secure container 304 by 
tunneling the MHEG and HTML protocols. 
[0745] Step SZ7: The user home network manager 
357 supplies the secure container 304 to the user home 
network 303 off-line and/or on-line. 
[0746] When distributing the secure container 304 to 
the network apparatus 360-, of the user home network 
303 on-line, the user home network manager 357 en- 
crypts the secure container 304 by using the session 
key data Kses in the encryptor/decryptor 352 after the 
mutual authentication and then distributes the same via 
the network to the network apparatus 360^ . 
[0747] Note that, when broadcasting the secure con- 
tainer 304 via for example a satellite, the user home net- 
work manager 357 encrypts the secure container 304 
by using scramble key data K3QR or the like. Further, 
the scramble key data K3QR is encrypted by using work 
key data K^, while the work key data K^ is encrypted by 
using master key data K^. 

[0748] Then, the user home network manager 357 
transmits the scramble key data Kqcr ^nd the work key 
data Kw together with the secure container 304 to the 
user home network 303 via the satellite. 
[0749] Further, for example it stores the master key 
data Ky in an IC card or the like and distributes the same 
to the user home network 303 off-line. 
[0750] Further, when receiving the SP use purchase 
log data 309 concerning the content data C distributed 
by the related service provider 31 0 from the user home 
network 303, the user home network manager 357 
writes this into the storage unit 351 . 
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[0751] The service provider 310 refers to tine SP use 
purchase log data 309 when determining the service 
content in the future. Further, the user preference filter 
creator 920 analyzes the preference of the users of the 
SAMs 305-1 to 3054 transmitting the related SP use pur- 
chase log data 309 based on the SP use purchase log 
data 309 to generate anuser preference filter data 900 
and transmits this via the user home network manager 
357 to the CA module 311 of the user home network303. 
[0752] In Fig. 54, the flow of the data relating to the 
communication with the EMD service center 302 in the 
service provider 310 is shown. 

[0753] Note that, as the prerequisite of the following 
processing, the related party of the service provider 31 0 
performs processing for registration at the EMD service 
center 302 off-line by using for example its own ID card 
and bank account for the settlement processing and ac- 
quires the global unique identifier SPJD. The identifier 
SP_ID is stored in the storage unit 351 . 
[0754] First, an explanation will be made of the 
processing when the service provider 31 0 requests the 
public key certificate data CERgp for certifying the legit- 
imacy of the public key data Kgpg corresponding to its 
own secret key data Kgpg to the EMD service center 
302 by referring to Fig. 54. 

[0755] First, the service provider 31 0 generates a ran- 
dom number by using the true random number genera- 
tor to generate the secret key data Kgpg, generates the 
public key data Kgp s corresponding to the related secret 
key data Kgpg, and stores the same in the storage unit 
351. 

[0756] The identifiers SPJD and the public key data 
Kgpp of the EMD service center manager 358 and the 
service provider 31 0 are read from the storage unit 351 . 
[0757] Then, the EMD service center manager 358 
transmits the identifier SP_ID and the public key data 
Kgpp to the EMD service center 302. 
[0758] Then , the EM D service center manager 348 re- 
ceives as its inputs the public key certificate data CERgp 
and the signature data SIGg-i ^gQ thereof from the EMD 
service center 302 in accordance with the related reg- 
istration and writes the same into the storage unit 351 . 
[0759] Next, an explanation will be made of the 
processing of the case where the service provider 310 
registers the price tag data 31 2 in the EMD service cent- 
er 302 and authorizes the same by referring to Fig. 54. 
[0760] In this case, the signature processor 354 finds 
the hush value of a module Mod^Qg storing the price tag 
data 312 generated by the price tag data generator 356 
and the global unique identifier ContentJD read from 
the storage unit 351 and generates the signature data 
SIGqo gp by using the secret key data Kgpg. 
[0761] Further, it reads the public key certificate data 
CERgp and the signature data SIGg^ ^gQ thereof from 
the storage unit 351. 

[0762] Then, the encryptor/decryptor 353 encrypts a 

price tag registration request use module Mod-, 02 shown 
in Fig. 55 by using the session key data Kg^g obtained 



by the mutual authentication between the mutual au- 
thenticator 352 and the EMD service center 302, then 
transmits it from the EMD service center manager 358 
to the EMD service center 302. 
5 [0763] Note that, it is also possible that the global 
unique identifier SPJD of the service provider 310 be 
stored in the module Mod^oa- 

[0764] Further, the EMD service center manager 358 
writes settlement report data 307s received from the 

10 EMD service center 302 into the storage unit 351 . 

[0765] Further, the EMD service center manager 358 
stores marketing information data 904 received from the 
EMD service center 302 in the storage unit 351 . 
[0766] The marketing information data 904 is used as 
15 a reference when the service provider 310 determines 
the content data C to be distributed from then on. 

[EMD Service Center 302] 

20 [0767] The EMD service center 302 plays a role as 
the certificate authority (CA), key management author- 
ity, and right clearing authority as mentioned before. 
[0768] Figure 56 is a view of the configuration of the 
EMD service center 302. 

25 [0769] As shown in Fig. 56, the EMD service center 
302 has a key server 1 4 1 , key database 141a, a settle- 
ment processor 442, a signature processor 443, a set- 
tlement organization manager 144, a certificate usage 
control policy manager 445, a CER database 445a, a 

30 content provider manager 148, a CP database 148a, a 
SAM manager 1 49, a SAM database 1 49a, a mutual au- 
thenticator 150, an encryptor/decryptor 151, a service 
provider manager 390, an SP database 390a, a user 
preference filter creator 901 , and a marketing informa- 

35 Won data creator 902. 

[0770] In Fig. 56, the functional blocks given the same 
references as those of Fig. 1 0 and Fig. 1 1 have substan- 
tially the same functions as those of the functional 
blocks having the same references explained in the first 

40 embodiment. 

[0771 ] Below, an explanation will be made of the func- 
tional blocks given new references in Fig. 56. 
[0772] Note that, in Fig. 56, the flow of the data related 
to the data transferred between the EMD service center 

45 302 and the service provider 31 0 in the flow of the data 
among the functional blocks in the EMD service center 
302 is shown. 

[0773] Further, in Fig. 57, the flow of the data related 
to the data transferred between the EMD service center 
50 302 and the content provider 301 in the flow of the data 
among the functional blocks in the EMD service center 
302 is shown. 

[0774] Further, in Fig. 58, the flow of the data related 
to the data transferred between the EMD service center 
55 302 and the SAMs 305^ to 3054 shown in Fig. 49 and 
the settlement organization 91 in the flow of the data 
among the functional blocks in the EMD service center 
302 is shown. 
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[0775] The settlement processor 442 performs the 
settlement processing based on the usage log data 308 
input from the SAMs 305^ to 3064 and the suggested 
retailer' price data SPR and the price tag data 31 2 input 
from the certificate usage control policy manager 445 5 
as shown in Fig. 58. Note that, at this time, the settle- 
ment processor 442 monitors the existence of dumping 
etc. by the service provider 31 0. 

[0776] The settlement processor 442 generates set- 
tlement report data 307c and settlement claim data 152c 10 
for the content provider 301 as shown in Fig. 58 by the 
settlement processing and outputs them to the content 
provider manager 148 and the settlement organization 
manager 144. 

[0777] Further, by the settlement processing, as 15 
shown in Fig. 56 and Fig. 58, it generates the settlement 
report data 307s and settlement claim data 1 52s for the 
service provider 310 and outputs them to the service 
provider manager 390 and the settlement organization 
manager 1 44. 20 
[0778] Here, the settlement claim data 1 52c and 1 52s 
are authorized data enabling claim of payment of money 
to the settlement organization 91 based on the related 
data. 

[0779] Here, the usage log data 308 is used when de- 25 

termining the payment of the license fee related to the 
secure container 304 in the same way as the usage log 
data 108 explained in the first embodiment. The usage 
log data 308, for example, as shown in Fig. 59, de- 
scribes the identifier ContentJD of the content data C 30 
stored in the secure container 304, the identifier CPJD 
of the content provider 301 providing the content data 
C stored in the. secure container 304, the identifier 
SPJD of the service provider 31 0 distributing the secure 
container 304, the signal original data of the content da- 35 
ta C, the compression method of the content data C in 
the secure container 304, the identifier IVIediaJD of the 
storage medium storing the secure container 304, the 
identifier SAMJD of the SAMs 305^ to 3054 receiving 
the distribution of the secure container 304, and the 40 
USERJDof theuserof the related SAMs 105^ to IO54. 
Accordingly, in a case where the money paid by the user 
of the user home network 303 must be distributed to the 
license owners of for example the compression method 
and the storage medium other than the owners of the 45 
content provider 301 and the service provider 310, the 
EMD service center 302 determines the sum of money 
to be paid to the other parties based on the distribution 
rate table determined in advance and generates the set- 
tlement report data and settlement claim data in accord- 50 
ance with the related determination. 
[0780] The certificate usage control policy manager 
445 reads the public l^ey certificate data CERqp, public 
key certificate data CERgp, public key certificate data 
^Ef^SAMi ^E'^SAM2' registered and authorized in 55 
the CER database 445a and registers and authorizes 
the usage control policy data 106 and content key data 
Kc of the content provider 301 and the price tag data 



90 

312 of the service provider 31 0 etc. in the CER database 
445a. 

[0781 ] At this time, the certificate usage control policy 
manager 445 takes the hush values of the usage control 

policy data 1 06, content key data Kc, price tag data 312, 
etc., attaches the signature data using the secret key 
data Kesc.S' thereby generates the authorized pub- 
lic key certificate data. 

[0782] The content provider manager 148 has the 

function of communicating with the content provider 101 
andean access the CP database 148a for managing the 
registered identifier CPJD etc. of the content provider 
101. 

[0783] The user preference filter creator 901 gener- 
ates user preference filter data 903 for selecting the con- 
tent data C in accordance with the preference of the us- 
ers of the SAMs 305^ to 3054 transmitting the related 
usage log data 308 based on the usage log data 308 
and transmits the user preference filter data 903 to the 
SAMs 305-1 to 3054 transmitting the related usage log 
data 308 via the SAM manager 1 49. 
[0784] The marketing information data creator 902 
generates the marketing information data 904 indicating 
the state of purchase etc. of the entire content data C 
distributed to the user home network 1 03 by for example 
a plurality of service providers 310 based on the usage 
log data 308 and transmits this via the service provider 
manager 390 to the service provider 310. The service 
provider 31 0 determines the content of the service to be 
provided from then on with the marketing information 
data 904 as a reference. 

[0785] Below, an explanation will be made of the flow 
of the processing in the EMD service center 302. 
[0786] The transmission of the distribution key data 
KD-i to KDg from the EM D service center 302 to the con- 
tent provider 301 and the transmission of the distribution 
key data KD-, to KD3 from the EMD service center 302 
to the SAMs 305-| to 3054 are carried out in the same 
way as the case of the first embodiment. 
[0787] Further, the processing in the case where the 
EMD service center 302 receives a request for issuance 
of public key certificate data from the content provider 

301 is carried out in the same way as the case of the 
first embodiment except for the point that the certificate 
usage control policy manager 445 performs the regis- 
tration with respect to the CER database 445a. 
[0788] Below, an explanation will be made of the 
processing in the case where the EMD service center 

302 receives a request for issuance of public key certif- 
icate data from the service provider 310 by referring to 
Fig. 56 and Fig. 60. 

[0789] Figure 60 is a flowchart of the related process- 
ing. 

[0790] Step SOI : When receiving a request for regis- 
tration of public key certificate data containing the iden- 
tifier SPJD, public key data Kgpp, and signature data 
SIG70 sp of the service provider 31 0 given by the EMD 
service center 302 in advance from the service provider 
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310, the service provider manager 390 decrypts tinem 
by using the session key data Kses obtained by tine mu- 
tual authentication between the mutual authenticator 
150 and the mutual authenticator 352 shown in Fig. 51 . 
[0791] Step S02: After confirming the legitimacy of 
the related decrypted signature data SIGyg^sp ^'9" 
nature processor 443, it is confirmed whether or not the 
service provider 310 issuing a request for issuance of 
the related public key certificate data is registered in the 
SP database 390a based on the identifier SP_ID and 
the public key data Kgp p. 

[0792] Step S03: The certificate usage control policy 

manager 445 reads the public key certificate data CER- 
3P of the related service provider 31 0 from the CER da- 
tabase 445a and outputs the same to the service pro- 
vider manager 390. 

[0793] Step S04: The signature processor 443 takes 
the hush value of the public key certificate data CERgp, 
generates the signature dataSIGgi ESc'^y ^^ing the se- 
cret key data K^sq s of the EMD service center 302, and 
outputs this to the service provider manager 390. 
[0794] Step S05: The service provider manager 390 
encrypts the public key certificate data CERgp and the 
signature data SIGg^ ^sc thereof by using the session 
key data Kg^g obtained by the mutual authentication be- 
tween the mutual authenticator 150 and the mutual au- 
thenticator 352 shown in Fig. 51 and then transmits the 
same to the service provider 31 0. 
[0795] Note that, the processing where the EMD serv- 
ice center 302 receives a request for issuance of public 
key certificate data from the SAMs 105^ to IO54 is sim- 
ilar to the first embodiment. 

[0796] Further, also the processing where the EMD 
service center 302 receives the request for registration 
of the usage control policy data 106 from the content 
provider 301 is similar to that of the first embodiment. 
[0797] Next, an explanation will be made of the 
processing where the EMD service center 302 receives 
the request for registration of the price tag data 31 2 from 
the service provider 31 0 by referring to Fig. 56 and Fig. 
61. 

[0798] Figure 61 is a flowchart of the related process- 
ing. 

[0799] Step SP1 : When the service provider manager 
390 receives the price tag registration request module 
Mod-102 shown in Fig. 55 from the service provider 310, 
it decrypts the price tag registration request module 
Mod^ Q2 by using the session key data Kqes obtained by 
the mutual authentication between the mutual authenti- 
cator 150 and the mutual authenticator 352 shown in 
Fig. 51. 

[0800] Step SP2: The legitimacy of the signature data 
SIGqcsp stored in the related decrypted price tag reg- 
istration request module Modio2 confirmed in the sig- 
nature processor 443. 

[0801] Step SP3: The certificate usage control policy 
manager 445 registers and authorizes the price tag data 
312 stored in the price tag registration request module 



Mod-102 in the CER database 445a. 
[0802] Next, an explanation will be made of the 
processing where the settlement is carried out in the 
EMD service center 302 by referring to Fig. 58 and Fig. 

5 62. 

[0803] Figure 62 is a flowchart of the related process- 
ing. 

[0804] Step SQ1 : When receiving as its inputs the us- 
age log data 308 and signature data S IG205,sami thereof 

10 from for example the SAM 305^ of the user home net- 
work 303, the SAM manager 1 49 decrypts the usage log 
data 308 and the signature data SIG205,sami using 
the session key data KgEs obtained by the mutual au- 
thentication between the mutual authenticator 150 and 

15 the SAMs 305-| to 3054, verifies the signature data 
SIG205,SAM1 '^y using the public key data Kg^i^^ p of the 
SAM 305-1 , and then outputs the same to the settlement 
processor 442. 

[0805] Step SQ2: The settlement processor 442 per- 
20 forms the settlement processing based on the usage log 
data 308 input from the SAM 305-, and the suggested 
retailer' price data SRP and the price tag data 31 2 input 
from the certificate usage control policy manager 445. 
[0806] The settlement processor 442 generates the 
25 settlement report data 307c and the settlement claim da- 
ta 1 52c for the content provider 301 and the settlement 
report data 307s and the settlement claim data 1 52s for 
the service provider 31 0 as shown in Fig. 58 by the set- 
tlement processing. 
30 [0807] Note that, it is also possible that the settlement 
processing by the settlement processor 442 be carried 
out whenever the usage log data 308 is input, and for 
every predetermined period. 

[0808] Step SQ3: As shown in Fig. 56 and Fig. 58, the 
35 settlement claim data 1 52c and 1 52s for the content pro- 
vider 301 and the service provider 310 are generated 
and output to the settlement organization manager 1 44. 
[0809] The settlement organization manager 1 44 per- 
forms the mutual authentication of the settlement claim 
40 data 152c and 152s and the signature data generated 
for them by using the secret key data K^sc.s the 
decryption by the session key data Kg^g and then trans- 
mits the same to the settlement organization 91 via the 
payment gateway 90 shown in Fig. 49. 
45 [0810] By this, the money of the sum indicated in the 
settlement claim data 1 52c is paid to the content provid- 
er 301 , and the money of the sum indicated in the set- 
tlement claim data 152s is paid to the service provider 
310. 

50 [0811] Note that, it is also possible for the EMD serv- 
ice center 302 to transmit the settlement claim data 1 52c 
and 152s to the content provider 301 and the service 
provider 310. In this case, the content provider 301 and 
the service provider 310 claim the money to the settle- 

55 ment organization 91 based on the related received set- 
tlement claim data 152c and 152s. 
[0812] Step SQ4: The settlement report data S307c 
and S307S for the content provider 301 and the service 
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provider 31 0 are output via the content provider manag- 
er 1 48 and tlie service provider manager 390 to the con- 
tent provider 301 and the service provider 310. 
[0813] The EMD service center 302 performs the 
processing at the time of shipping of the SAMs 305^ to 
3064 and the registration processing of the SAIVI regis- 
tration list in the same way as the EMD service center 
102 of the first embodiment other than the above. 

[User Home Network 303] 

[0814] The user home network 303 has the network 
apparatus 3601 and the A/V apparatuses 36O2 to 36O4 
as shown in Fig. 49. 

[0815] The network apparatus 360^ includes the CA 
module 311 and the SAM 305^. Further, the A/V appa- 
ratuses 36O2 to 36O4 include the SAMs 3052 ^05^. 
[081 6] The SAMs 3052 ^^^4 connected to each 
other via the bus 1 91 , for example, a I EEE serial inter- 
face bus. 

[0817] Note that it is also possible that the AV appa- 
ratuses 36O2 to 36O4 have a network communication 
function or do not have a network communication func- 
tion, but utilize the network communication function of 
the network apparatus 360-, via the bus 191. 
[0818] Further, it is also possible that the user home 
network 303 have only AV apparatuses not having the 
network function. 

[0819] Below, an explanation will be made of the net- 
work apparatus 360-,. 

[0820] Figure 63 is a view of the configuration of the 
network apparatus 360-|. 

[0821] As shown in Fig. 63, the network apparatus 
360^ has a communication module 162, a CA module 
311, a decryption module 905, a SAM 305-,, a decryp- 
tion/decompression module 163, a purchase/usage 
mode determination controller 1 65, a download memory 
167, a reproduction module 169, and an external mem- 
ory 201. 

[0822] In Fig. 63, components given the same refer- 
ences as those of Fig. 16 are the same as the compo- 
nents of the same references explained in the first em- 
bodiment. 

[0823] The communication module 162 performs the 
communication processing with the service provider 
310. 

[0824] Specifically, the communication module 162 
outputs the secure container 304 received from the 
service provider 31 0 by a satellite broadcast or the like 
to the decryption module 905. Further, the communica- 
tion module 162 outputs the user preference filter data 
900 receiving the SP use purchase log data 309 via a 
telephone line or the like at the service provider 310 to 
the CA module 31 1 and, at the same time, transmits the 
SP use purchase log data 309 input from the CA module 
311 to the service provider 310 via a telephone line or 
the like. 

[0825] Figure 64 is a functional block diagram of the 



CA module 311 and the decryption module 905. 
[0826] As shown in Fig. 64, the CA module 31 1 has a 
mutual authenticator 906, a storage unit 907, an encryp- 
tor/decryptor 908, and an SP use purchase log datacre- 

5 ator 909. 

[0827] When transferring data between the CA mod- 
ule 311 and the service provider 310 via the telephone 
line, the mutual authenticator 906 performs the mutual 
authentication with the service provider 31 0 to generate 
10 the session key data Kqes outputs this to the en- 
cryptor/decryptor 908. 

[0828] The storage unit 907 stores the master key da- 
ta supplied from the service provider 31 0 off-line by 
using an IC card 912 etc. after for example a contract is 
15 established between the service provider 310 and the 
user. 

[0829] The encryptor/decryptor 908 receives as its in- 
puts the encrypted scramble key data Kqcr and work 
key data from adecryptor 91 Oof the decryption mod- 
20 ule 905 and decrypts the work key data Ky^ by using the 
master key data K|^ read from the storage unit 907. 
Then, the encryptor/decryptor 908 decrypts the scram- 
ble key data Kqcr by using the related decrypted work 
key data Ky^ and outputs the related decrypted scramble 
25 key data Kscr to the decryptor 91 0. 

[0830] Further, the encryptor/decryptor 908 decrypts 
the user preference filter data 900 received by the com- 
munication module 162 from the service provider 310 
via a telephone line or the like by using the session key 
30 data KgEs ^^^^ the mutual authenticator 906 and out- 
puts the same to a secure container selector 91 1 of the 
decryption module 905. 

[0831] Further, the encryptor/decryptor 908 decrypts 
the SP use purchase log data 309 input from the SP use 
35 purchase log data creator 909 by using the session key 
data Kg^s ^^^m the mutual authenticator 906 and trans- 
mits the same via the communication module 1 62 to the 
service provider 310. 

[0832] The SP use purchase log data creator 909 
40 generates the SP use purchase log data 309 indicating 
the purchase log of the content data C inherent in the 
service provider 310 based on the control signal SI 65 
in accordance with the purchase operation of the con- 
tent data C by the user by using the purchase/usage 
45 mode determination controller 165 shown in Fig. 63 or 
the usage control status data 1 66 from the SAM 305^ 
and outputs this to the encryptor/decryptor 908. 
[0833] The SP use purchase log data 309 contains for 
example the information to be collected from the user 
50 concerning the distribution service by the service pro- 
vider 31 0, monthly base fee (network rent), contract (up- 
date) information, and the purchase log information. 
[0834] Note that, the CA module 311 communicates 
with a charge database, a customer management data- 
55 base, and a marketing information database of the serv- 
ice provider 31 0 when the service provider 31 0 has the 
charge function. In this case, the CA module 311 trans- 
mits the charge data for the distribution service of the 
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content data to the service provider 31 0. 
[0835] The decryption module 905 has the decryptor 
910 and the secure container selector 911. 
[0836] The decryptor 910 receives as its inputs the 
encrypted secure container 304, scramble key data 
KscR> and the work key data from the communica- 
tion module 162. 

[0837] Then, the decryptor 91 0 outputs the encrypted 
scramble key data K3QR and work key data to the 
encryptor/decryptor 908 of the CA module 311 and re- 
ceives as its input the decrypted scramble key data 
Kqcr from the encryptor/decryptor 908. 
[0838] Then, the decryptor 91 0 decrypts the encrypt- 
ed secure container 304 by using the scramble key data 
KscR and then outputs the same to the secure container 
selector 911. 

[0839] Note that, when the secure container 304 is 
transmitted from the service provider 31 0 by the MPEG2 
Transport Stream system, for example, the decryptor 
910 fetches the scramble key data Kscr from an ECM 
(Entitlement Control Message) in a TS packet and fetch- 
es the work key data from an EMM (Entitlement 
Management Message). 

[0840] The ECM, other than the above, contains for 
example program attribute information for every chan- 
nel. Further, the EMM, other than this, contains individ- 
ual trial listening contract information different for every 
user (auditor) etc. 

[0841] The secure container selector 911 filters the 
secure container 304 input from the decryptor 910 by 
using the user preference filter data 900 input from the 
CA module 31 1 , selects the secure container 304 in ac- 
cordance with the preference of the user, and outputs 
the same to the SAM 305-,. 

[0842] Next, an explanation will be made of the SAM 
305^. Note that, the SAM 305^ has basically the same 
function and structure as the SAM 105i of the first em- 
bodiment mentioned before by using Fig. 17 to Fig. 41 
except it performs the processing concerning the serv- 
ice provider 31 0 in addition to the content provider 31 0, 
for example, it performs the signature verification 
processing for the service provider 310. 
[0843] Further, the SAMs 3052 ^o 3054 basically have 
the same functions as those of the SAM 305-,. 
[0844] Namely, the SAMs 305^ to 3054 are modules 
for performing the charge processing in units of content 
and communicate with the EMD service center 302. 
[0845] Below, the functions of the SAM 305^ will be 
explained in detail. 

[0846] Figure 65 is a view of the configuration of the 
SAM 305i. 

[0847] Note that, in Fig. 65, the flow of the data related 
to the processing of receiving as the input the secure 
container 304 from the service provider 310 and de- 
crypting the key file KF in the secure container 304 is 
shown. 

[0848] As shown in Fig. 65, the SAM 305-, has a mu- 
tual authenticator 170, encryptor/decryptors 171, 172, 



and 173, error corrector 181, download memory man- 
ager 182, secure container decryptor 183, decryption/ 
decompression module manager 184, EMD service 
center manager 185, usage monitor 186, signature 

5 processor 189, SAM manager 190, storage unit 192, 
media SAM manager 197, stack memory 200, service 
provider manager 580, charge processor 587, signature 
processor 598, and external memory manager 811. 
[0849] Note that, the predetermined functions of the 

10 SAM 305^ shown in Fig. 65 are realized by executing a 
secret program in the CPU in the same way as the case 
of the SAM 105i. 

[0850] In Fig. 65, functional blocks given the same ref- 
erences as those of Fig. 17 are the same as the func- 
15 tional blocks having the same references explained in 
the first embodiment. 

[0851] Further, the external memory 201 shown in 

Fig. 63 stores the usage log data 308 and the SAM reg- 
istration list after the processing explained in the first 

20 embodiment and the processing mentioned later. 

[0852] Further, the stack memory 200, as shown in 
Fig. 66, stores the content key data Kc, usage control 
policy data (UCP) 106, lockkey data K|_qq of the storage 
unit 192, public key certificate data CERqp of the con- 

25 tent provider 301 , public key certificate data CERsp of 
the service provider 310, usage control status data 
(UCS) 366, SAM program download containers SDC^ 
to SFDC3, price tag data 31 2, etc. 
[0853] Below, an explanation will be made of the func- 

30 tional blocks newly given references in Fig. 65 among 
the functional blocks of the SAM 305^. 
[0854] The signature processor 589 verifies the sig- 
nature data in the secure container 304 by using the 
public key data K^gQ p of the EMD service center 302, 

35 public key data Kqpp of the content provider 301 , and 
the public key data Kgpp of the service provider 310 
read from the storage unit 1 92 or the stack memory 200. 
[0855] The charge processor 587 performs the 
charge processing in accordance with the purchase 

40 and/or usage mode of the content by the user based on 
the control signal SI 65 from the purchase/usage mode 
determination controller 165 shown in Fig. 63 and the 
price tag data 312 read from the stack memory 200 as 
shown in Fig. 67. 

45 [0856] The charge processing by the charge proces- 
sor 587 is carried out based on the content of the right 
such as the license conditions indicated by the usage 
control policy data 1 06 and the usage control status data 
166 under the monitoring of the usage monitor 186. 

50 Namely, the user can purchase and use the content 
within the range according to the related content of the 
right etc. 

[0857] Further, the charge processor 587 generates 
the usage log data 308 in the charge processing and 
55 writes this into the external memory 201 via the external 
memory manager 811 . 

[0858] Here, the usage log data 308 is used when de- 
termining the payment of the license fee related to the 
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secure container 304 in the ElVID service center 302 in 
tine same way as the usage log data 1 08 of the first em- 
bodiment. 

[0859] Further, the charge processor 587 generates 
the usage control status (UCS) data 166 describing the 
purchase and/or usage mode of the content by the user 
based on the control signal S1 65 and writes this into the 
external memory 201 via the external memory manager 
811. 

[0860] As the purchase modes of the content, there 
are for example a straight purchase without restriction 
as to reproduction by the purchaser and copying for the 
usage of the related purchaser and a reproduction 
charge charging whenever it is reproduced. 
[0861 ] Here, the usage control status data 1 66 is gen- 
erated when the user determines the purchase mode of 
the content, then is used for control so that the user uses 
the related content within the range permitted by the re- 
lated determined purchase mode. The usage control 
status data 1 66 describes the ID of the content, the pur- 
chase mode, the straight purchase price, the SAMJD 
of the SAM with the purchase of the related content per- 
formed therefor, USER_ID of the purchasing user, etc. 
[0862] Note that, when the determined purchase 
mode is the reproduction charge, for example, the us- 
age control status data 1 66 is transmitted from the SAM 
305-, to the service provider 310 in real-time, and the 
service provider 31 0 indicates to the EMD service center 
302 to take the usage log data 1 08 from the SAM 1 05-, . 
[0863] Further, when the determined purchase mode 
is a straight purchase, for example, the usage control 
status data 1 66 is transmitted to the service provider 31 0 
and the EMD service center 302 in real-time. 
[0864] Further, the SAM 305-, outputs the user pref- 
erence filter data 903 received by the EM D service cent- 
er manager 1 85 from the EMD service center 302 to the 
service provider manager 580. Then, the service pro- 
vider manager 580 filters the secure container 304 input 
from the decryption module 905 shown in Fig. 63 based 
on the user preference filter data 903, selects the secure 
container 304 in accordance with the preference of the 
user, and outputs the related selected secure container 
304 to the error corrector 181. By this, the SAM 305^ 
can perform the processing for selection of the content 
data C based on the preference of the related user ob- 
tained from the state of purchase of the content data C 
by the related user covering all service providers 310 
contracted with the user of the related SAM 305^. 
[0865] Below, the flow of the processing in the SAM 
305^ will be explained. 

[0866] The flow of the processing when storing the 

distribution key data KD^ to KDg received from the EMD 
service center 302 in the storage unit 192 is similar to 
that of the case of the SAM 1 05^ mentioned before. 
[0867] Below, an explanation will be made of the flow 
of the processing in the SAM 305-, when receiving as its 
input the secure container 304 from the service provider 
310 and decrypting the key file KF in the secure con- 



tainer 304 by referring to Fig. 65 and Fig. 68. 
[0868] Figure 68 is a flowchart of the related process- 
ing. Step SR1 : The mutual authentication is carried out 
between the mutual authenticator 1 70 and the mutual 
5 authenticator 352 of the service provider 31 0 shown in 
Fig. 51. 

[0869] The encryptor/decryptor 171 decrypts the se- 
cure container 304 shown in Fig. 53A to Fig. 53D re- 
ceived from the service provider 31 0 via the service pro- 

10 vider manager 580 by using the session key data Kq^q 
obtained by the related mutual authentication. 
[0870] Step SR2: The signature processor 589 veri- 
fies the signature data SIGg-, ^sc shown in Fig. 53D and 
then confirms the legitimacy of the signature data 

15 SIG62,sP' ^'^63, SP' andSIG64 SP by using the public key 
data KSRP of service provider 31 0 stored in the public 
key certificate data CERgp shown in Fig. 53D. 
[0871] When the legitimacy of the signature data 
SIG62,sp, SIGga sP' and SIG64 sp is confirmed, the serv- 

20 ice provider manager 580 outputs the secure container 
304 to the error corrector 181. 

[0872] The error corrector 181 corrects the error of the 
secure container 304 and then outputs the result to the 
download memory manager 182. 

25 [0873] Step SR3: The download memory manager 
182 performs the mutual authentication between the 
mutual authenticator 170 and the media SAM 167a 
shown in Fig. 63 and then writes the secure container 
304 into the download memory 167. 

30 [0874] Step SR4: The download memory manager 
182 performs the mutual authentication between the 
mutual authenticator 170 and the media SAM 167a 
shown in Fig. 63 and then reads the key file KF shown 
in Fig. 53B stored in the secure container 304 and out- 

35 puts the same to the secure container decryptor 1 83. 
[0875] Then, the secure container decryptor 183 de- 
crypts the key file KF by using the distribution key data 
KD^ to KD3 of the corresponding period input from the 
storage unit 192. 

40 [0876] Step SR5: The secure container decryptor 1 83 
outputs the signature data SIG-|^sq and SIG2 CP to 
SIG4 Qp stored in the signature certificate module Mod^ 
shown in Fig. 53B to the signature processor 589. 
[0877] The signature processor 589 verifies the sig- 

45 nature data SIG-i ESC shown in Fig. 53B and then verifies 
the signature data SIG2_cp to SIG4 Qp by using the public 
key data Kqp p stored in public key certificate data CER- 
cp- 

[0878] Step SR6: The secure container decryptor 1 83 
50 writes the key file KF into the stack memory 200 when 
the legitimacy of the signature data SIG2 cp to SIG4 Qp 
is confirmed. 

[0879] Below, an explanation will be made of the flow 
of the processing until the purchase mode of the secure 
55 container 304 downloaded from the service provider 
310 on the download memory 167 is determined by re- 
ferring to Fig. 67 and Fig. 69. 

[0880] Figure 69 is a flowchart of the related process- 
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ing. Step SS1: The charge processor 587 decides by 
the operation of the purchase/usage mode determina- 
tion controller 1 65 shown in Fig. 63 by the user whether 
or not the control signal S1 65 indicating the trial listening 
mode was input. Where it decides it was input, it exe- 5 
cutes the processing of step SS2, while when it decides 
it was not input, executes the processing of step SS3. 
[0881] Step SS2: For example, the content file CF 
stored in the download memory 1 67 is output to the de- 
cryption/decompression module 163 shown in Fig. 63 io 
via the decryption/decompression module manager 
184. 

[0882] At this time, with respect to the content file CF, 
the mutual authentication between the mutual authenti- 
cator 1 70 and the media SAM 1 67a, the encryption and/ 15 
or decryption by the session key data Kqes, the mutual 
authentication between the mutual authenticator 170 
and the mutual authenticator 220, and the encryption 
and/or decryption by the session key data Kq^q are car- 
ried out. 20 
[0883] The content file CF is decrypted in the decryp- 
tor 221 shown in Fig. 63 and then output to the decryptor 
222. 

[0884] Further, the content key data Kc and semi-dis- 
closure parameter data 1 99 read from the stack memory 25 
200 are output to the decryption/decompression module 
1 63 shown in Fig. 63. At this time, after the mutual au- 
thentication between the mutual authenticator 170 and 
the mutual authenticator 220, the encryption and de- 
cryption by the session key data Kg^g are carried out 30 
with respect to the content key data Kc and the semi- 
disclosure parameter data 199. 
[0885] Next, the decrypted semi-disclosure parame- 
ter data 199 is output to the semi-disclosure processor 
225, and the decryption of the content data C using the 35 
content key data Kc by the decryptor 222 is carried out 
by semi-disclosure under the control from the semi-dis- 
closure processor 225. 

[0886] Next, the content data C decrypted by semi- 
disclosure is decompressed at the decompression unit 40 
223 and then output to the electronic watermark infor- 
mation processor 224. 

[0887] Next, he user watermark data 1 96 is buried in 

the content data C in the electronic watermark informa- 
tion processor 224, then the content data C is repro- 45 
duced at the reproduction module 169, and the audio in 
accordance with the content data C is output. 
[0888] Step SS3: When the user trying out the content 
determines the purchase mode by operating the pur- 
chase/usage mode determination controller 165, the 50 
control signal S165 indicating the related determined 
purchase mode is output to the charge processor 187. 
[0889] Step SS4: The charge processor 187 gener- 
ates the usage log data 308 and the usage control status 
data 166 in accordance with the determined purchase 55 
mode, writes the usage log data 308 into the external 
memory 201 via the external memory manager 81 1 , and 
writes the usage control status data 166 into the stack 
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memory 200. 

[0890] Below, the usage monitor 1 86 performs control 
(monitor) so that the purchase and usage of the content 
are carried out within the range permitted by the usage 

control status data 166. 

[0891] Step SS5: The usage control status data 166 
is added to the key file KF stored in the stack memory 
200, and a new key file KF^-i shown in Fig. 71 having 
the determined purchase mode is generated. The key 
file KF-i^ is stored in the stack memory 200. 
[0892] As shown in Fig. 71, the usage control status 
data 166 stored in the key file KF1 is encrypted by uti- 
lizing the CBC mode of the DBS by using the session 
key data Ksjr- Further, the MAC value generated by us- 
ing the related storage key data KgjR as the MAC key 
data, that is, the MAC300, is attached. Further, the mod- 
ule comprised by the usage control status data 1 66 and 
the MAC300 is been encrypted by utilizing the CBC mode 
of DES by using the media key data K^^d- Further, a 
MAC value generated by using the related media key 
data K^ED the MAC key data, that is, the MAC301, is 
attached to the related module. 

[0893] Next, an explanation will be made of the flow 
of the processing in the case where the content data C 
having the purchase mode already determined stored 
in the download memory 167 is reproduced by referring 
to Fig. 67 and Fig. 70. 

[0894] Figure 70 is a flowchart of the related process- 
ing. Step ST1 : For example, in accordance with the op- 
eration by the user, the designation of the content to be 
reproduced is received at the SAM. 
[0895] Step ST2: Under the monitoring of the usage 
monitor 186, the content file CF stored in the download 
memory 167 is read based on the control signal SI 65. 
[0896] Step ST3: The related read content file CF is 
output to the decryption/decompression module 163 
shown in Fig. 63. 

[0897] Further, the content key data Kc read from the 
stack memory 200 is output to the decryption/decom- 
pression module 163. 

[0898] Step ST4: The decryptor 222 of the decryption/ 
decompression module 1 63 decrypts the content file CF 
using the content key data Kc and the decompression 
processing by the decompression unit 223 and repro- 
duces the content data C at the reproduction module 
169. 

[0899] Step ST5: The charge processor 587 updates 
the usage log data 308 in accordance with the control 
signal SI 65. 

[0900] The usage log data 308 is transmitted together 
with the signature data SIG205,sami generated by using 
the secret key data ksami,s E\\AD service center 

302 via the EMD service center manager 1 85 at the pre- 
determined timing. 

[0901] Below, an explanation will be made of the flow 
of the processing in the SAM 305-, in the case of, as 
shown in Fig. 72, transferring for example the content 
file CF having the purchase mode already determined 
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and downloaded in the download memory 167 of the 
network apparatus 3601 to the SAM 3052 of the AV ap- 
paratus 3602 via the bus 1 91 by referring to Fig. 73 and 
Fig. 74. 

[0902] Step SU1 : The user operates the purchase/us- 5 
age mode determination controller 165 and indicates to 
this to transfer the predetermined content stored in the 
download memory 167 to the AP apparatus 36O2 and 
outputs the control signal SI 65 in response to the relat- 
ed operation to the charge processor 587. 10 
[0903] By this, the charge processor 587 updates the 
usage log data 308 stored in the stack memory 200 
based on the control signal SI 65. 
[0904] Step SU2: The download memory manager 
182 outputs the content file CF shown in Fig. 75A read ^5 
from the download memory 167 to the SAM manager 
190. 

[0905] Step SU3: The key file KF^^ having the pur- 
chase mode already determined shown in Fig. 75B read 
from the stack memory 200 is output to the signature 20 
processor 589 and the SAM manager 1 90. 
[0906] Step SU4: The signature processor 589 gen- 
erates the signature data SIGqq sami of the key file KF^^ 
and outputs this to the SAM manager 190. 
[0907] Step SU5: The SAM manager 190 reads the 25 
public key certificate data CERsami shown in Fig. 75C 
and the signature data SIG22,esc thereof from the stor- 
age unit 1 92. 

[0908] Further, the mutual authenticator 170 outputs 
the session key data Kg^g obtained by performing the 30 
mutual authentication with the SAM 3052 the encryp- 
tor/decryptor 171 . 

[0909] The SAM manager 190 generates the secure 
container comprised by the data shown in Figs. 75A, 
758, and 75C. 35 
[0910] Step SU6: The encryptor/decryptor 171 en- 
crypts and generates the related secure container by us- 
ing the session key data KgEs ^"^^1 outputs it to the SAM 
3052 of the AV apparatus 36O2 shown in Fig. 73. 
[0911] Below, an explanation will be made of the flow 
of the processing in the SAM 3052 when writing the con- 
tent file CF etc. input from the SAM 305^ into a RAM 
type storage medium or the like by referring to Fig. 76 
and Fig. 77. 

[0912] Figure 77 is a flowchart of the related process- ^5 
ing. Step SV1 : The SAM manager 1 90 of the SAM 3052 
receives as its inputs the content file CF shown in Fig. 
75A, the key file KF-,-, and the signature data SIGqq sami 
thereof shown in Fig. 75B, and the public key certificate 
data CERsami and the signature data SIG22, esc thereof 50 
shown in Fig. 75C from the SAM 305-, of the network 
apparatus 360-, as shown in Fig. 76. 
[0913] Then, the encryptor/decryptor 171 decrypts 
the content file CF, the key file KF^-, and the signature 
data SIGgo sAMi thereof, the public key certificate data 55 
CERsami ^"^^I the signature data SIG22,esc thereof re- 
ceived by the SAM manager 1 90 as inputs by using the 
session key data Kses obtained by the mutual authen- 
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tication between the mutual authenticator 170 and the 
mutual authenticator 170 of the SAM 305-,. 
[0914] Next, the content file CF decrypted by using 
the session key data Kses output to the media SAM 

manager 197. 

[0915] Further, the key file KF-i-i and the signature da- 
ta SIGqosami thereof and the public key certificate data 
CERsami ^"^^ the signature data SIG22,esc thereof de- 
crypted by using the session key data Kses written 
into the stack memory 200. 

[0916] Step SV2: The signature processor 589 veri- 
fies the signature data SIG22,esc ^^^^ the stack 
memory 200 by using the public key data K^scp ''^^^ 
from the storage unit 1 92 and confirms the legitimacy of 
the public key certificate data CERsami- 
[0917] Then, the signature processor 589 confirms 
the legitimacy of the signature data SIGgo sami using 
the public key data Ksami,p stored in the public key cer- 
tificate data CERsami when confirming the legitimacy of 
the public key certificate data CERsami- 
[0918] Step SV3: When the legitimacy of the signa- 
ture data SIGqo sami confirmed, the key file KF^^ 
shown in Fig. 75B is read from the stack memory 200 
and output to the encryptor/decryptor 1 73. 
[0919] Then, the encryptor/decryptor 1 73 sequential- 
ly encrypts the key file KF-,^ by using the storage key 
data KsTR, media key data Ky and the purchaser key 
data Kpi,^ read from the storage unit 192 and outputs 
the same to the media SAM manager 197. 
[0920] Step SV4: The media SAM manager 1 97 out- 
puts the content file CF input from the SAM manager 
190 and the key file KF-^ input from the encryptor/de- 
cryptor 1 73 to the storage module 260 shown in Fig. 72. 
[0921] Then, the storage module 260 writes the con- 
tent file CF and the key file KF-,^ input from the media 
SAM manager 1 97 into the RAM region 251 of the RAM 
type storage media 250 shown in Fig. 72. 
[0922] Note that, in the processing in the SAM 305^, 
the flow of the processing in the AV apparatus 36O2 
when determining the purchase mode of a ROM type 
storage medium having the not yet determined pur- 
chase mode of the content and the flow of the process- 
ing when reading the secure container 304 from a ROM 
type storage medium having the not yet determined pur- 
chase mode in the AV apparatus 36O3 and transferring 
this to the AV apparatus 36O2 and writing the same into 
the RAM type storage medium are the same as the case 
of the SAM 105^ of the first embodiment except the point 
that the verification of the signature data using the secret 
key data of the service provider 310 is carried out and 
the point that the price tag data 312 is stored in the key 
file having the purchase mode determined. 
[0923] Next, an explanation will be made of the overall 
operation of the EMD system 300 shown in Fig. 49. 
[0924] Figure 78 and Fig. 79 are flowcharts of the 
overall operation of the EMD system 300. 
[0925] Here, an explanation will be made by illustrat- 
ing the case where the secure container 304 is trans- 
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mitted from the service provider 310 to tine user home 
network 303 on-line. 

[0926] Note that, as the prerequisite of the following 
processing, it is assumed that the content provider 301 , 
service provider 310, and SAMs 305-, to 3064 have al- 
ready been registered at the EIVID service center 302. 
[0927] Step S21 : The EMD service center 302 trans- 
mits the certificate CERqp of the public key data Kqp p 
of the content provider 301 together with its own signa- 
ture data SIG^ to the content provider 301 . 
[0928] Further, the EMD service center 302 transmits 
the certificate CERgp of the public key data Kgpp the 
content provider 301 together with its own signature da- 
ta SIGg^ ESC service provider 310. 
[0929] Further, the EMD service center 302 transmits 
six months' worth of the distribution key data KD^ to KDg 
each having a term of validity of one month to the con- 
tent provider 301 and transmits three months' worth of 
the distribution key data KD^ to KD3 to the SAMs 305^ 
to 3064 of the user home network 303. 
[0930] Step S22: The content provider 301 transmits 
the right registration request module Mod2 shown in Fig. 
7 A to the EMD service center 302. 
[0931] Then, the EMD service center 302 registers 
and authorizes (certifies) the usage control policy data 
106 and content key data Kc after the predetermined 
signature verification. 

[0932] Step S23: The content provider 301 supplies 
the secure container 104 storing the data shown in Fig. 
4A, Fig. 4B, and Fig. 4C to the service provider 31 0 after 
the processing for preparation of the signature data and 
the encryption processing using the distribution key data 
KD^ to KDg of the corresponding period etc. 
[0933] Step S24: The service provider 31 0 verifies the 
signature data SIG-, ^sc shown in Fig. 4C and then ver- 
ifies the signature data SIGgQp and SIG^Qp shown in 
Figs. 4A and 4B by using the public key data Kqpp 
stored in the public key certificate data CERqp to con- 
firm if the secure container 1 04 was transmitted from a 
legitimate content provider 301 . 

[0934] Step S25: The service provider 31 0 generates 
the price tag data 312 and generates the secure con- 
tainer 304 shown in Fig. 53 storing the price tag data 
312. 

[0935] Step S26: The service provider 310 transmits 
the price tag registration request module Mod-, 02 shown 
in Fig. 55 to the EMD service center 302. 
[0936] Then, the EMD service center 302 registers 
and authorizes the price tag data 312 after the prede- 
termined signature verification. 

[0937] Step S27: The service provider 310 transmits 
the secure container 304 generated at step S25 on-line 
or off-line to the decryption module 905 of the network 
apparatus 360-| shown in Fig. 63 in response to the re- 
quest from for example the CA module 311 of the user 
home network 303. 

[0938] Step S28: The CA module 311 generates the 
SP use purchase log data 309 and transmits this to the 



service provider 31 0 at the predetermined timing. 
[0939] StepS29: Each of the SAMs 305^ to3054, after 
verifying the signature data SIGg^ ^sc shown in Fig. 
53D, verifies the signature data SIG62,sP' ^'*^63,SP' 
5 SIGe4 3p shown in Figs. 53A, 53B, and 53C by using the 
public key data Kgp p stored in the public key certificate 
data CERsp to confirm if the secure container 304 is 
transmitted from a legitimate service provider 310. 
[0940] Step S30: Each of the SAMs 305^ to 3064 de- 
10 crypts the key file KF shown in Fig. 538 by using the 
distribution key data KD^ to KD3. Then, each of the 
SAMs 305^ to 3064, after verifying the signature data 
SIG-i ESC shown in Fig. 538, verifies the signature data 
SIG2 CP' SIG3 Qp, and SIG4 Qp shown in Fig. 538 by us- 
15 ing the public key data Kqpp stored in the public key 
certificate data CERqp to confirm if the content data C, 
content key data Kc, and usage control policy data 1 06 
were generated by a legitimate content provider 301 . 
[0941] Step S31 : The user operates the purchase/us- 
20 age mode determination controller 1 65 of Fig. 63 to de- 
termine the purchase and/or usage mode of the content. 
[0942] Step S32: Based on the control signal SI 65 
generated at step S31 , the SAMs 305^ to 3054 generate 
the usage log data 308 of the secure container 304. 
25 [0943] The usage log data 308 and the signature data 
SIG205,SAM1 thereof are transmitted from the SAMs 
305-1 to 3054 to the EMD service center 302. 
[0944] The EMD service center 302 determines (cal- 
culates) the charge content for each of the content pro- 
30 vider 301 and the service provider 31 0 based on the us- 
age log data 308 and generates the settlement claim 
data 152c and 152s based on the result thereof. 
[0945] The EM D service center 302 transmits the set- 
tlement claim data 1 52c and 1 52s together with its own 
35 signature data to the settlement organization 91 via the 
payment gateway 90. By this, the money paid by the 
user of the user home network 303 to the settlement or- 
ganization 91 is distributed to the owners of the content 
provider 301 and the service provider 310. 
40 [0946] As explained above, the EMD system 300 dis- 
tributes the secure container 104 of the format shown 
in Fig. 4 from the content provider 301 to the service 
provider 310 and distributes the secure container 304 
storing the content file CF and key file KF in the secure 
45 container 1 04 as they are from the service provider 31 0 
to the user home network 303 and performs the 
processing for the key file KF in the SAMs 305-, to 3054. 
[0947] Also, the content key data Kc and usage con- 
trol policy data 1 06 stored in the key file KF are encrypt- 
50 ed by using the distribution key data KD-, to KDg and 
decrypted in only the SAMs 305^ to 3054 holding the 
distribution key data KD^ to KD3. The SAMs 305^ to 
3054 are modules having tamper resistance. The pur- 
chase mode and the usage mode of the content data C 
55 are determined based on the handling content of the 
content data C described in the usage control policy da- 
ta 106. 

[0948] Accordingly, according to the EMD system 
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300, the purchase and usage of the content data C in 
the user home network 303 can be reliably performed 
based on the content of the usage control policy data 
1 06 generated by the related parties of the content pro- 
vider 101 regardless of the processing in the service 
provider 310. Namely, according to the EMD system 
300, it is possible to prevent the usage control policy 
data 1 06 from not being able to be managed by the serv- 
ice provider 31 0. 

[0949] For this reason, according to the EMD system 
300, even in a case where the content data C is distrib- 
uted to the user home network 303 via a plurality of serv- 
ice providers 310 of different series, the right clearing 
for the related content data C in the user home network 
303 can be performed based on the common usage 
control policy data 1 06 generated by the content provid- 
er 301. 

[0950] Further, the EMD system 300 enables com- 
mon right clearing of the content data C in the SAMs 
305-1 to 3054 ^^^^ on-line and off-line by distributing the 
content data C from the content provider 301 to the user 
home network 1 03 by using the secure container 304 in 
both cases. 

[0951] Further, the EMD system 300 enables use of 
common right clearing rules when purchasing, using, 
storing, and transferring the content data C in the net- 
work apparatus 360-| and the AV apparatuses 36O2 to 
36O4 in the user home network 303 by performing 
processing always based on the usage control policy 
data 106. 

[0952] Further, according to the EMD system 300, 
since the EM D service center 302 has an authentication 
function, key data management function, and right 
clearing (profit distribution) function, the money paid by 
the user accompanied with the usage of the content is 
reliably distributed to the owners of the content provider 
301 and the EMD service center 302 according to the 
ratio determined in advance. 

[0953] Further, according to the EMD system 300, the 
usage control policy data 106 for the same content file 
CF supplied by the same content provider 301 is sup- 
plied as it is to the SAMs 305^ to 3054 regardless of the 
service mode of the service provider 310. Accordingly, 
the SAMs 305^ to 3064 can use the content file accord- 
ing to the intention of the content provider 301 based on 
the usage control policy data 106. 
[0954] Namely, according to the EMD system 300, 
when the service using the content and the user use the 
content, the rights and profit of the owner of the content 
provider 301 can be reliably protected by technical 
means without depending on an inspection organization 
725 as in the conventional case. 

First Modification of Second Embodiment 

[0955] Figure 80 is a view of the configuration of an 
EMD system 300a using two service providers accord- 
ing to a first modification of the second embodiment. 



[0956] In Fig. 80, components given the same refer- 
ences as those of Fig. 49 are the same as the compo- 
nents having the same references explained in the sec- 
ond embodiment. 
5 [0957] As shown in Fig. 80, the EMD system 300a 
supplies the same secure container 104 from the con- 
tent provider 301 to the service providers 310a and 
310b. 

[0958] The service provider 31 Oa provides the service 

10 of providing for example a drama program as content. 
This service generates a secure container 304a storing 
the content data C related to the related drama program 
and price tag data 312a uniquely generated for the re- 
lated content data C and distributes this to the network 

15 apparatus 360-1 . 

[0959] Further, the service provider 31 Ob provides for 
example a karaoke service. This service generates a se- 
cure container 304b storing the content data C related 
to the related karaoke service and price tag data 312b 

20 uniquely generated for the related content data C and 
distributes this to the network apparatus 3601 . 
[0960] Here, the formats of the secure containers 
304a and 304b are the same as that of the secure con- 
tainer 304 explained by using Fig. 53. 

25 [0961] A network apparatus 360ai is provided with 
CA modules 311a and 311b corresponding to the serv- 
ice providers 310a and 310b. 

[0962] The CA modules 311a and 311b receive the 
distribution of the secure containers 304a and 304b from 
30 the service providers 31 Oa and 31 Ob in response to their 

own requests. 

[0963] Next, the CA modules 311a and 311b generate 
SP use purchase log data 309a and 309b in accordance 
with the distributed secure containers 304a and 304b 
35 and transmit them to the service providers 310a and 
310b. 

[0964] Further, the CA modules 311a and 311b de- 
crypt the secure containers 304a and 304b by the ses- 
sion key data Kg^g and then output the same to the 

40 SAMs 305^ to 3054. 

[0965] Next, the SAMs 305-, to 3064 decrypt the key 
files KF in the secure containers 304a and 304b by using 
the common distribution key data KD-, to KD3, perform 
the processing concerning the purchase and/or usage 

45 of the content in accordance with the operation from the 
user based on the common usage control policy data 
1 06, and generate the usage log data 308 in accordance 
with that . 

[0966] Then, the usage log data 308 is transmitted 
50 from the SAMs 305-, to 3054 to the EMD service center 
302. 

[0967] The EM D service center 302, based on the us- 
age log data 308, determines (calculates) the charge 
content for each of the content provider 301 and the 
55 service providers 31 Oa and 31 Ob and generates the set- 
tlement claim data 1 52c, 1 52sa, and 1 52sb correspond- 
ing to them based on the results thereof. 
[0968] The EM D service center 302 transmits the set- 



54 



107 



EP 1 120 715 A1 



108 



tiement claim data 152c, 152sa, and 152sb to the set- 
tlement organization 91 via the payment gateway 90. By 
this, the money paid by the user of the user home net- 
work 303 to the settlement organization 91 is distributed 
to the owners of the content provider 301 and the service 
providers 31 Oa and 31 Ob. 

[0969] As mentioned above, according to the ElVID 
system 300b, when supplying the same content file CF 
to the service providers 31 Oa and 31 Ob, the usage con- 
trol policy data 1 06 for the related content file CF is en- 
crypted by the distribution key data KD-, to KDq and sup- 
plied to the service providers 310a and 310b, and the 
service providers 310a and 310b distribute the secure 
containers 304a and 304b storing the encrypted usage 
control policy data 1 06 as it is to the user home network. 
For this reason, the SAIVIs 305^ to 3064 in the user home 
network can perform right clearing based on the com- 
mon usage control policy data 1 06 no matter from which 
of the service providers 31 Oa or 31 Ob the content file CF 
is distributed. 

[0970] Note that, in the first modification, the case 
where two service providers were used was illustrated, 
but in the present invention, any number of the service 
provider may be used. 

Second Modification of Second Embodiment 

[0971] Figure 81 is a view of the configuration of an 
EMD system 300b using a plurality of content providers 
according to a second modification of the second em- 
bodiment. 

[0972] In Fig. 81, components given the same refer- 
ences as those of Fig. 49 are the same as the compo- 
nents having the same references explained in the sec- 
ond embodiment. 

[0973] As shown in Fig. 81, the EMD system 300b 
supplies the secure containers 1 04a and 1 04b from con- 
tent providers 301a and 301b to the service provider 
310. 

[0974] The service provider 31 0 provides the service 
by using the content supplied by for example the content 
providers 301a and 301b, generates the price tag data 
312a for the secure container 104a and the price tag 
data 31 2b for the secure container 1 04b, and generates 
a secure container 304c storing them. 
[0975] As shown in Fig. 81 , the secure container 304c 
stores the content data CFa, CFb, key files KFa and 
KFb, price tag data 31 2a and 31 2b, and signature data 
based on the secret key data Kqpq of the service pro- 
vider 31 0 for each of them. 

[0976] The secure container 304c is received at the 
CA module 311 of the network apparatus 3601 of the 
user home network 303 and then processed at the 
SAMs 305^ to 3064. 

[0977] The SAMs 305^ to 8064 decrypt the key file 
KFa by using the distribution key data KDa-, to KDag, 
perform the processing concerning the purchase and/or 
usage in accordance with the operation from the user 



for the content file CFa based on the usage control pol- 
icy data 1 06a, and describe the log thereof in the usage 
log data 308. 

[0978] Further, the SAMs 305^ to 3064 decrypt the key 
5 file KFb by using distribution key data KDb-, to KDbg, 
perform the processing concerning the purchase and/or 
usage in accordance with the operation from the user 
for the content file CFb based on the usage control pol- 
icy data 1 06b, and describe the log thereof in the usage 
log data 308. 

[0979] Then, the usage log data 308 is transmitted 
from the SAMs 305^ to 3064 to the EMD service center 
302. 

[0980] The EMD service center 302 determines (cal- 
culates) the charge content for each of the content pro- 
viders 301a and 301b and the service provider 310 
based on the usage log data 308 and generates settle- 
ment claim data 1 52ca, 1 52cb, and 1 52s corresponding 
to them based on the results thereof. 
[0981 ] The EM D service center 302 transmits the set- 
tlement claim data 1 52ca, 1 52cb, and 1 52s via the pay- 
ment gateway 90 to the settlement organization 91 and 
distributes the money paid by the user of the user home 
network 303 to the settlement organization 91 to the 
owners of the content providers 301 a and 301 b and the 
service provider 31 0 by this. 

[0982] As mentioned above, according to the EMD 
system 300b, as the usage control policy data 1 06a and 
1 06b of the content files CFa and CFb stored in the se- 
cure container 304, those generated by the content pro- 
viders 301a and 301b are used as they are, therefore, 
the SAMs 305-, to 3054 reliably carry out the right clear- 
ing for the content files CFa and CFb based on the us- 
age control policy data 1 06a and 1 06b according to the 
intention of the content providers 301 a and 301 b. 
[0983] Note that, in the second modification shown in 
Fig. 81 , the case where two content providers were used 
was illustrated, but any number of the content providers 
may be used. 

[0984] Further, there may be a plurality of both of the 
content providers and service providers. 

Third Modification of Second Embodiment 

[0985] Figure 82 is a view of the configuration of the 
EMD system according to a third modification of the sec- 
ond embodiment. 

[0986] In the second embodiment, the case where the 
EMD service center 302 performed the settlement of the 
content provider 301 and the service provider 310 with 
respect to the settlement organization 91 was illustrat- 
ed, but in the present invention, for example, as shown 
in Fig. 82, it is also possible that the settlement claim 
data 152c for the content provider 301 and the settle- 
ment claim data 152s for the service provider 310 be 
generated based on the usage log data 308 in the EMD 
service center 302 and that they be transmitted to the 
content provider 301 and the service provider 310. 
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[0987] In this case, the content provider 301 performs 
the settlement at a settlement organization 91a via a 
payment gateway 90a by using the settlement claim da- 
ta 152c. Further, the service provider 310 performs the 
settlement at a settlement organization 91b via a pay- 
ment gateway 90b by using the settlement claim data 
152s. 

Fourth Modification of Second Embodiment 

[0988] Figure 83 is a view of the configuration of the 
EMD system according to a fourth modification of the 
second embodiment. 

[0989] In the second embodiment, the case where the 
service provider 31 0 did not have a charging function as 
in for example the current Internet was illustrated, but 
where the service provider 310 has a charging function 
as in the current digital broadcasting, the CA module 311 
generates a usage log data 308s with respect to the 
service of the service provider 310 concerning the se- 
cure container 304 and transmits it to the service pro- 
vider 310. 

[0990] Then, the service provider 310 performs the 
charge processing based on the usage log data 308s to 
generate the settlement claim data 152s and performs 
the settlement at the settlement organization 91 b via the 
payment gateway 90b by using this. 
[0991] On the other hand, the SAMs 305^ to 3064 gen- 
erate usage log data 308c with respect to the right clear- 
ing of the content provider 301 concerning the secure 
container 304 and transmit them to the EMD service 
center 302. 

[0992] The EMD service center 302 generates the 
settlement claim data 152c based on the usage log data 
308c and transmits this to the content provider 301 . 
[0993] The content provider 301 performs the settle- 
ment at the settlement organization 9 1 a via the payment 
gateway 90a by using the settlement claim data 152c. 

Fifth Modification of Second Embodiment 

[0994] In the embodiment, as shown in Fig. 49, the 
case where the user preference filter data 903 was gen- 
erated based on the usage log data 308 received from 
the SAM 305^ etc. in the user preference filter creator 
901 of the EMD service center 302 was illustrated, but 
it is also possible that for example the usage control sta- 
tus data 166 generated at the usage monitor 186 such 
as the SAM 305-| shown in Fig. 67 be transmitted to the 
EMD service center 302 in real-time and that the user 
preference filter data 903 be generated based on the 
usage control status data 166 in the SP use purchase 
log data 309. 

Sixth Modification of Second Embodiment 

[0995] The content provider 301 , the service provider 
310, and the SAMs305i to3054can register their secret 



key data Kcp,s. Ksp,s, and Ksami,s ^ Ksam4,s the 
EMD service center 302 too other than their public key 
data Kcp,p, Ksp^p, and Ksami,p ^ Ksam4,p- 
[0996] By doing this, it becomes possible for the EMD 

5 service center 302 to tap communication concerned in 
the communication between the content provider 301 
and the service provider 310, the communication be- 
tween the service provider 310 and the SAMs 305-| to 
3054, and the communication among the SAMs 305^ to 

10 3064 in the user home network 303 by using the secret 
key data Kcp,s, Ksp,s, and Ksami,s ^ Ksam4,s re- 
sponse to demands from the nation or the police organ- 
ization at the time of an emergency. 
[0997] Further, it is also possible that the secret key 

15 data KsAMi,s to K3ai\/|4,s t)® generated for the SAMs 
305^ to 3054 by the EMD service center 302 at the time 
of shipping and that they be stored in the SAMs 305^ to 
3064 and, at the same time, held (registered) by the 
EMD service center 302. 

20 

Seventh Modification of Second Embodiment 

[0998] In the above embodiment, the case where pub- 
lic key certificate data CERqp, CERgp, and CERgAMi to 

25 CERsAM4 were acquired from the EMD service center 
302 in advance when the content provider 301 , service 
provider 310, and SAMs 305-, to 3064 communicated 
with respect to each other and were transmitted to the 
destination of communication by the in-band method 

30 was illustrated, but in the present invention, various 
modes can be employed as the mode of transmission 
of public key certificate data to the destination of com- 
munication. 

[0999] For example, it is also possible that the public 
35 key certificate data CERqp, CERgp, and CERgAMi to 
CER3AM4 be acquired from the EMD service center 302 
in advance when the content provider 301 , service pro- 
vider 31 0, and the SAM 305-, to 3054 communicate with 
respect to each other and be transmitted to the destina- 
40 tion of communication by the in-band method preceding 
the related communication. 

[1000] Further, it is also possible for the content pro- 
vider 301, the service provider 310, and the SAM 305^ 
to 3064 to acquire the public key certificate data CERqp, 

45 CERgp and CERsami to CERsam4 ^''^'^^ the EMD serv- 
ice center 302 at the time of communication. 
[1001] Figure 84 is a view for explaining the mode of 
the route of acquiring the public key certificate data. 
[1002] Note that, in Fig. 84, components given the 

50 same references as those of Fig. 49 are the same as 
the components having the same references. Further, 
a user home network303a is the same as the user home 
network 303 mentioned before. In a user home network 
303b, SAMs 305-1 to 305-, 4 are connected via a bus 191, 

55 that is, an IEEE 1394 serial bus. 

[1003] When the content provider 301 acquires the 
public key certificate data CER3P of the service provider 
31 0, there are for example a case where the public key 
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certificate data CERsp is transmitted from tine service 
provider 310 to tine content provider 301 preceding tine 
communication ((3) in Fig. 84) and a case where the 
content provider 301 orders the public key certificate da- 
ta CERsp from the EMD service center 302 ((1) in Fig. 
84). 

[1004] Further, when the service provider 310 ac- 
quires the public key certificate data CERcp of the con- 
tent provider 301 , there are for example a case where 
the public key certificate data CERqp is transmitted from 
the content provider 301 to the service provider 31 0 pre- 
ceding the communication ((2) in Fig. 84) and a case 
where the service provider 310 orders the public key 
certificate data CERqp from the EMD service center 302 
((4) in Fig. 84). 

[1005] Further, when the service provider 310 ac- 
quires the public key certificate data CERsami 
CERsAM4 of the SAMs 305^ to 3064, there are for ex- 
ample a case where the public key certificate data 
CERsAMi to *^ERsAM4 transmitted from the SAMs 
305^ to 3064 to the service provider 310 preceding the 
communication ((6) in Fig. 84) and a case where the 
service provider 31 0 orders the public key certificate da- 
ta CER3AM1 to CER3AM4 from the EMD service center 
302 ((4) in Fig. 84). 

[1006] Further, when the SAMs 305^ to 3064 acquire 
the public key certificate data CER3P of the service pro- 
vider 31 0, there are for example a case where the public 
key certificate data CERgp is transmitted from the serv- 
ice provider 310 to the SAMs 305-, to 3064 preceding 
the communication ((5) in Fig. 84) and a case where the 
SAMs 3051 to 3054 order the public key certificate data 
CERsp from the EMD service center 302 ((7) in Fig. 84, 
etc.). 

[1 007] Further, when the SAM 305-, acquires the pub- 
lic key certificate data CERsam2 the SAM 3052, there 
are for example a case where the public key certificate 
data CERsAM2 transmitted from the SAM 3052 to the 
SAM 305-1 preceding the communication ((8) in Fig. 84) 
and a case where the SAM 305^ orders the public key 
certificate data CERsaivi2 ^''om the EMD service center 
302 ((7) in Fig. 84, etc.). 

[1008] Further, when the SAM 3052 acquires the pub- 
lic key certificate data CERsami of the SAM 305^ , there 
are for example a case where the public key certificate 
data CERsami transmitted from the SAM 305-, to the 
SAM 3052 preceding the communication ((9) in Fig. 84), 
a case where the SAM 3052 orders the public key cer- 
tificate data CERsami ^''orn the EMD service center 302 
by itself, and a case where the SAM 3052 orders the 
public key certificate data CERsami via the network ap- 
paratus with the SAM 305-, mounted therein ((7), (8) in 
Fig. 84). 

[1 009] Further, when the SAM 3064 acquires the pub- 
lic key certificate data CERsami 3 of the SAM 305^3, 
there are for example a case where the public key cer- 
tificate data CERsami 3 transmitted from the SAM 
305-13 to the SAM 3054 preceding the communication 



((1 2) in Fig. 84), a case where the SAM 8064 orders the 
public key certificate data CERsami 3 ^''om the EMD 
service center 302 by itself ((10) in Fig. 84), and a case 
where the SAM 3054 orders the public key certificate 
5 data CERsami 3 via the network apparatus in the user 
home network 303b. 

[1010] Further, when the SAM 305^3 acquires the 
public key certificate data CERsam4 of the SAM 3054, 
there are for example a case where the public key cer- 

10 tificate data CERsam4 transmitted from the SAM 3054 
to the SAM 305-13 preceding the communication ((11) in 
Fig. 84), a case where the SAM 305-, 3 orders the public 
key certificate data CERsam4 ^''om the EMD service 
center 302 by itself ((13) in Fig. 84), and a case where 

15 the SAM 305-13 orders the public key certificate data 
CERsAM4 via the network apparatus in the user home 
network 303b. 

Handling of Public Key Certificate Revocation List 



[1011] In the second embodiment, in order to prevent 
a content provider 301, a service provider 310, and 
SAMs 305-1 to 3054 used for an illegal action etc. from 

25 communicating with another apparatus in the EMD serv- 
ice center 302, the public key certificate revocation list 
for invalidating the public key certificate data of the ap- 
paratus used for the related illegal action is generated. 
Then, the related public key certificate revocation list 

30 CRL is transmitted to the content provider 301 , service 
provider 310, and SAMs 305^ to 3054. 
[1 01 2] Note that, it is also possible that the public key 
certificate revocation list CRL be generated in for exam- 
ple the content provider 301 , the service provider 310, 

35 and the SAMs 305-, to 3054 other than the EMD service 
center 302. 

[1013] First, an explanation will be made of the case 
where the EMD service center 302 invalidates the public 
key certificate data CERqp of the content provider 301 . 

40 [1014] As shown in Fig. 85, the EMD service center 
302 transmits a public key certificate revocation list 
CRL-i indicating the invalidation of the public key certif- 
icate data CERqp to the service provider 31 0 ((1 ) in Fig. 
85). When verifying the signature data input from the 

45 content provider 301 , the service provider 31 0 decides 
the validity of the public key certificate data CERqp by 
referring to the public key certificate revocation list 
CRL-i, verifies the signature using the public key data 
Kqp p when it decides that it is valid, and invalidates the 

50 data from the content provider 301 without verifying the 
signature when it decides that it is invalid. Note that, it 
is also possible not to invalidate the data, but reject the 
communication. 

[1 01 5] Further, the EM D service center 302 transmits 
55 the public key certificate revocation list CRL-, to for ex- 
ample the SAM 305-, in the user home network 303 by 
utilizing distribution resources of the service provider 
310 by either one of the broadcast type or on-demand 
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type ((1), (2) in Fig. 85). When verifying tine signature 
data of the content provider 301 stored in the secure 
container input from the service provider 310, the SAIVI 
305^ decides the validity of the public key certificate data 
CERqp by referring to the public key certificate revoca- 
tion list CRL-i , verifies the signature using the public key 
data Kqp p when it decides it is valid, and invalidates the 
related secure container without verifying the signature 
when it decides it is invalid. 

[1016] Note that, it is also possible for the ElVID serv- 
ice center 302 to directly transmit the public key certifi- 
cate revocation list CRL^ to the SAI\/I 305^ via the net- 
work apparatus in the user home network 303 ((3) in 
Fig. 85). 

[1017] Next, an explanation will be made of the case 
where the EM D service center 302 invalidates the public 
key certificate data CERgp of the service provider 310. 
[1018] As shown in Fig. 86, the EMD service center 
302 transmits a public key certificate revocation list 
CRL2 indicating the invalidation of the public key certif- 
icate data CERsp to the content provider 301 ((1 ) in Fig. 
86). When verifying the signature data input from the 
service provider 31 0, the content provider 301 decides 
the validity of the public key certificate data CERsp by 
referring to the public key certificate revocation list 
CRL2, verifies the signature using the public key data 
Ksp p when it decides it is valid, and invalidates the data 
from the service provider 31 0 without verifying the relat- 
ed signature when it decides it is invalid. 
[1019] Further, the EMD service center 302 transmits 
the public key certificate revocation list CRL2 to for ex- 
ample the SAM 305-1 in the user home network 303 by 
utilizing the distribution resources of the service provider 
31 0 by either the broadcast type or on-demand type ((2) 
in Fig. 86). When verifying the signature data of the con- 
tent provider 301 stored in the secure container input 
from the service provider 310, the SAM 305-| decides 
the validity of the public key certificate data CERsp by 
referring to the public key certificate revocation list 
CRL2, verifies the signature using the public key data 
Ksp p when it decides it is valid, and invalidates the re- 
lated secure container without verifying the signature 
when it decides it is invalid. 

[1020] In this case, in the service provider 310, the 
module for transferring the public key certificate revoca- 
tion list CRL2 must have tamper resistance. Further, in 
the service provider 310, the public key certificate rev- 
ocation list CRL2 must be stored in a region where tam- 
pering by related parties of the service provider 310 is 
difficult. 

[1021] Note that, it is also possible for the EMD serv- 
ice center 302 to directly transmit the public key certifi- 
cate revocation list CRL2 to the SAM 305.| via the net- 
work apparatus in the user home network 303 ((3) in 
Fig. 86). 

[1022] Next, an explanation will be made of a case 

where the EMD service center 302 invalidates for ex- 
ample the public key certificate data CERsam2 



SAM 3052- 

[1023] As shown in Fig. 87, the EMD service center 
302 transmits a public key certificate revocation list 
CRL3 indicating the invalidation of the public key certif- 

5 icate data CERs^^2 the content provider 301 ((1 ) in 
Fig. 87). The content provider 301 transmits the public 
key certificate revocation list CRL3 to the service pro- 
vider 31 0. The service provider 31 0 transmits the public 
key certificate revocation list CRL3 to for example the 

10 SAM 305-1 in the user home network 303 by utilizing its 
own distribution resources by either the broadcast type 
or on-demand type ((1) in Fig. 87). When verifying the 
signature data of the SAM 3052 added to the data input 
from the SAM 3052, the SAM 305-, decides the validity 

15 of the public key certificate data CERsam2 referring 
to the public key certificate revocation list CRL3, verifies 
the signature using the public key data Ksam2,p when it 
decides it is valid, and invalidates the related data with- 
out verifying the signature when it decides it is invalid. 

20 [1024] In this case, in the service provider 310, the 
module for transferring the public key certificate revoca- 
tion list CRL3 must have tamper resistance. Further, in 
the service provider 310, the public key certificate rev- 
ocation list CRL3 must be stored in a region where tam- 

25 pering by related parties of the service provider 310 is 
difficult. 

[1025] It is also possible for the EMD service center 
302 to transmit the public key certificate revocation list 
CRL3 to the SAM 305-1 via the service provider 31 0 ((1 ), 

30 (2) in Fig. 87). 

[1 026] Note that, it is also possible for the EMD serv- 
ice center 302 to directly transmit the public key certifi- 
cate revocation list CRLg to the SAM 305^ via the net- 
work apparatus in the user home network 303 ((3) in 

35 Fig. 87). 

[1 027] Further, the EM D service center 302 generates 
and stores the public key certificate revocation list CRL3 
indicating the invalidation of for example the public key 
certificate data CER3;^^2 of the SAM 3052- 
40 [1028] Further, the user home network 303 generates 
a SAM registration list SRL of the SAMs connected to 
the bus 1 91 and transmits this to the EMD service center 
302 ((1) in Fig. 88). 

[1029] The EMD service center 302 identifies the 
45 SAMs (for example SAM 3052) for which invalidation is 
indicated by the public key certificate revocation list 
CRL3 among the SAMs 305-, to 3054 indicated in the 
SAM registration list, sets revocation flags correspond- 
ing to the related SAMs in the SAM registration list SRL 
50 so as to indicate the invalidity, and thereby generates a 
new SAM registration list SRL. 

[1030] Next, the EMD service center 302 transmits 
the related generated SAM registration list SRL to the 
SAM 305i ((1) in Fig. 88). 
55 [1 031 ] The SAM 305^ determines the existence of the 
verification of the signature data and whether or not the 
communication is permitted by referring to the revoca- 
tion flags of the SAM registration list SRL when commu- 
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nicating with another SAM. 

[1032] Further, the EM D service center 302 generates 
the public key certificate revocation list CRL3 and trans- 
mits this to the content provider 301 ((2) in Fig. 88). 
[1033] The content provider 301 transmits the public 
key certificate revocation list CRL3 to the service pro- 
vider 310 ((2) in Fig. 88). 

[1034] Next, the service provider 310 transmits the 
public key certificate revocation list CRL3 to the SAM 

305^ by either the broadcast type or on-demand type by 
utilizing its own distribution resources ((2) in Fig. 88). 
[1 035] The SAM 305-, identifies the SAM (for example 
SAM 3062) for which invalidation is indicated by the pub- 
lic key certificate revocation list CRL3 among the SAMs 
305-1 to 3054 indicated in the SAM registration list gen- 
erated by itself and sets revocation flags corresponding 
to the related SAMs in the SAM registration list SRL so 
as to indicate the invalidity. 

[1036] After that, the SAM 305^ determines the exist- 
ence of the verification of the signature data and wheth- 
er or not communication is permitted by referring to the 
revocation flags of the related SAM registration list SRL 
when communicating with another SAM. 
[1037] Further, the EMD service center 302 generates 
the public key certificate revocation list CRL3 and trans- 
mits this to the service provider 310 ((3) in Fig. 88). 
[1038] Next, the service provider 310 transmits the 
public key certificate revocation list CRL3 to the SAM 
305-1 by either one the broadcast type or on-demand 
type by utilizing its own distribution resources ((3) in Fig. 
88). 

[1039] The SAM 305^ specifies the SAMs (for exam- 
ple SAM 3052) for which invalidation is indicated by the 
public key certificate revocation list CRL3 among the 
SAMs 305-1 to 3054 indicated in the SAM registration list 
generated by itself and sets revocation flags corre- 
sponding to the related SAMs in the SAM registration 
list SRL so as to indicate the invalidity. 
[1040] After that, the SAM 305^ determines the exist- 
ence of the verification of the signature data and wheth- 
er or not communication is permitted by referring to the 
revocation flags of the related SAM registration list SRL 
when communicating with another SAM. 

Role Etc. of EMD Service Center 302 

[1041] Figure 89 is a view of the configuration of the 
EMD system when the functions of the EMD service 
center (clearing house) 302 shown in Fig. 49 are divided 
between a right management clearing house 950 and 
an electronic settlement clearing house 951 . 
[1042] In the related EMD system, in the electronic 
settlement clearing house 951 performs the settlement 
processing (profit distribution processing) based on the 
usage log data 308 from the SAMs of the user home 
networks 303a and 303b, generates the settlement 
claim data of the content provider 301 and the service 
provider 31 0, and performs settlement at the settlement 



organization 91 via the payment gateway 90. 
[1043] Further, the right management clearing house 
950 generates the settlement reports of the content pro- 
vider 301 and the service provider 310 in accordance 
5 with the settlement notification from the electronic set- 
tlement clearing house 951 and transmits them to the 
content provider 301 and the service provider 310. 
[1 044] Further, it performs the registration (authoriza- 
tion) etc. of the usage control policy data 106 and the 
content key data Kc of the content provider 301 . 
[1045] Note that, as shown in Fig. 90, when the right 
management clearing house 950 and the electronic set- 
tlement clearing house 951 are accommodated in a sin- 
gle apparatus, the EMD service center 302 shown in Fig. 
49 is formed. 

[1046] Further, in the present invention, for example, 
as shown in Fig. 91 , it is also possible to provide the 
functions of a right management clearing house 960 in 
the EMD service center 302, perform the registration 
etc. of the usage control policy data 1 06 in the right man- 
agement clearing house 960 and, at the same time, gen- 
erate the settlement claim data of the service provider 
310 based on the usage log data 308 from the SAMs 
and transmit this to the service provider 310. In this 
case, the service provider 310 utilizes its own charge 
system as an electronic settlement clearing house 961 
and performs the settlement based on the settlement 
claim data from the right management clearing house 
960. 

[1047] Further, in the present invention, for example 
as shown in Fig. 92, it is also possible to provide the 
function of a right management clearing house 970 in 
the EMD service center 302, perform the registration 
etc. of the usage control policy data 1 06 in the right man- 
agement clearing house 970 and, at the same time, gen- 
erate the settlement claim data of the content provider 
301 based on the usage log data 308 from the SAM and 
transmit this to the content provider 301. In this case, 
the content provider 301 utilizes its own charge system 
as an electronic settlement clearing house 971 and per- 
forms the settlement based on the settlement claim data 
from the right management clearing house 970. 

Eighth Modification of Second Embodiment 

[1 048] In the second embodiment, the case where the 
secure container 1 04 of the format shown in Fig. 4 was 
provided from the content provider 301 to the service 
provider 31 0 and the secure container 304 of the format 
shown in Fig. 53 was distributed from the service pro- 
vider 31 0 to the user home network 303 in the EM D sys- 
tem 300 shown in Fig. 49 was illustrated. 
[1049] Namely, in the second embodiment, as shown 
in Fig. 4 and Fig. 53, the case of storing a single content 
file CF and a single key file KF corresponding to the re- 
lated content file CF in the secure container 1 04 and the 
secure container 304 was illustrated. 
[1050] In the present invention, it is also possible to 
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store a plurality of content files CF and a plurality of key 
files KF corresponding to the related plurality of content 
files CF in the secure container 1 04 and the secure con- 
tainer 304. 

[1 051 ] Figure 93 is a view for explaining the format of 
the secure container 104a provided from the content 
provider 301 to the service provider 310 shown in Fig. 
49 in the present modification. 

[1052] As shown in Fig. 93, the secure container 1 04a 

stores the content files CF-, q-, , CF-, and CF^ Q3, the key 
files KF^oi' ^^1^1 02' ^1^103' public key certificate 
data CERqp, the signature data SIG^ ^SC' ^'9" 
nature data SIGq25o,cp- 

[1053] Here, the signature data SIGq25o,cp gener- 
ated by the content provider 301 taking the hush values 
with respect to all of the content files CF^ 01 > ^^l^i 02' 
CF-103, the key files KF-iq-i, KF-102, and KF-103, the public 
key certificate data CERqp, and the signature data 
SIG1 

ESC using the secret key data Kqp3 of the content 
provider 301 . 

[1054] The content file CF-i 01 stores a header, link da- 
ta LD^, meta-data Meta-,, content data C^, and an A/V 

decompression software Soft^. 

[1055] Here, the content data C^ and the A/V decom- 
pression software Soft^ is encrypted by using the con- 
tent key data Kc-, mentioned above, while the meta-data 
Meta-i is encrypted by using the content key data Kc-| 
according to need. 

[1056] Further, the content data C-, is compressed by 
for example the ATRAC3 method. The AA/ decompres- 
sion software Soft^ is the software for the decompres- 
sion of the ATRAC3 method. 

[1057] Further, the link data LD^ indicates the link to 

the key file KF-|o-|. 

[1058] The content file CF-|Q2 stores the header, link 
data LD2, meta-data Meta2, content data C2, and an A/ 
V decompression software Soft2 are stored. 
[1 059] Here, the content data C2 and the A/V decom- 
pression software Soft2 are encrypted by using the con- 
tent key data KC2 mentioned above, while the meta-data 
Meta2 is encrypted by using the content key data KC2 
according to need. 

[1 060] Further, the content data C2 is compressed by 

for example the MPEG2 method. The A/V decompres- 
sion software Soft2 is the software for the decompres- 
sion of the MPEG2 method. 

[1061] Further, the link data LD2 indicates the link to 

the key file KF-|Q2. 

[1062] The content file CF-103 stores a header, linkda- 
ta LD3, meta-data Meta3, content data C2, and an A/V 
decompression software Soft3. 

[1063] Here, the content data C3 and the A/V decom- 
pression software Soft3 are encrypted by using the con- 
tent key data KC3 mentioned above, while the meta-data 
Meta3 is encrypted by using the content key data Kcg 
according to need. Further, the content data C3 is com- 
pressed by for example the JPEG method. The A/V de- 
compression software Soft3 is software for the decom- 



pression of the JPEG method. 

[1064] Further, the link data LD3 indicates the link to 
the key file KFio3- 

[1065] The key file KF^qi stores a header, content key 
5 data Kc-i encrypted by using the distribution key data 
KD^ to KD3, usage control policy data ^06^, SAM pro- 
gram download container SDC^, and signature certifi- 
cate module Mod2oo- 

[1 066] Here, the signature certificate module Mod200' 
as shown in Fig. 94A, stores the signature data 
SIG21-1 Qp, SIG212 CP' ^'^213 CP generated by tak- 
ing the hush values of the content data C-,, content key 
data Kc^ , and the usage control policy data 1 06-1 and 
using the secret key data Kqp3 of the content provider 
301 , the public key certificate data CERqp of the public 
key data KQp p, and the signature data SIG^ of the 
EMD service center 302 with respect to the related pub- 
lic key certificate data CERqp. 

[1 067] The key file KF^ 02 stores a header, content key 
data Kc2 encrypted by using the distribution key data 
KD-i to KD3, usage control policy data IO62, SAM pro- 
gram download container SDC2, and a signature certif- 
icate module Mod2oi- 

[1 068] Here, the signature certificate module Mod2oi , 
as shown in Fig. 94 B, stores the signature data 

SIG22i,cP' ^'^222, CP' ^'^223, CP generated by tak- 
ing the hush values of the content data C2, content key 
data KC2, and the usage control policy data 1 062 and 
using the secret key data Kqps of the content provider 
301, public key certificate data CERqp, and signature 
dataSIGn 

ESC ^'^l^ respect to the related public key cer- 
tificate data CERqp. 

[1 069] The key file KF^ 03 stores a header, content key 
data KC3 encrypted by using the distribution key data 
KD-i to KD3, usage control policy data 1 063, a SAM pro- 
gram download container SDC3, and a signature certif- 
icate module Mod202- 

[1 070] Here, the signature certificate module Mod202' 
as shown in Fig. 94C, stores the signature data 
SIG23-1 Qp, SIG232 CP ^^'^ ^'^233 CP generated by tak- 
ing the hush values of the content data C3, content key 
data Kcg, and usage control policy data IO63 and using 
the secret key data Kqp s of the content provider 301, 
public key certificate data CERqp, and signature data 
SIG^ ESQ with respect to the related public key certificate 
data CERqp- 

[1071] When receiving the distribution of the secure 
container 104a shown in Fig. 93, the service provider 
310 confirms the legitimacy of the signature data 
SIGq25o,cp using the public key data Kqp p stored in 
the public key certificate data CERqp after confirming 
the legitimacy of the related public key certificate data 
CERqp by using the public key data K^sc.p of the EMD 
service center 302. 

[1072] Then, when confirming the legitimacy of the 
signature data SIGq25o,cP' ^s shown in Fig. 95, the serv- 
ice provider 310 generates the secure container 304a 
storing the content files CF^qi' ^1^102' ^1^103 
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the key files KF-|oi, and KF-103 obtained from the 

secure container 104a, public key certificate data CER- 
sp of the service provider 31 0, signature data SIGe^ ^SC' 
price tag data 312^, 3122, ^123, and a signature 
data SIG26o,sp- 

[1073] Here, the price tag data 312-,, 3122, ^^^3 
indicate the sale prices of the content data C^, C2, and 

[1074] Further, the signature data SIG26o,sp gener- 
ated by taking the hush value with respect to all of the 
content files CF^qi' ^f^i02' ^^^03^ ^''^^ ^1^101' 
KF-i 02, and KF^ qs' public key certificate data CERgp, sig- 
nature data SIGg-i ESC' and the price tag data 312-,, 
3122, and 3123 and by using the secret key data K3P3 
of the service provider 31 0. 

[1075] The service provider 31 0 distributes the secure 
container 304a shown in Fig. 95 to the user home net- 
work 303. 

[1076] In the user home network 303, the SAMs 305^ 
to 3054 confirm the legitimacy of the signature data 
SIGqi^esc stored in the secure container 304a, then 
confirm the legitimacy of the signature data SIG26o,sp 
by using the public key data Kgp ^p stored in the public 
key certificate data CERsp. 

[1 077] Thereafter, the SAMs 305-, to 3054 perform the 

right clearing for the content data 01 ' ^1 02' and C-, 03 
in accordance with the linkstatuses indicated in the links 
LD-|, LD2, and LD3 based on the key files KF^qi' K^io2' 
and KF103. 

[1078] Note that, in the eighth modification, the case 

where the signature data SIGq25o,cp with respect to all 
of the content files CF^qi, ^^^02' and CF-103, key files 
KF-101, KFio2' and KF^qs, public key certificate data 
CERqp, and signature data SIG^ ^gc generated in 
the content provider 301 as shown in Fig. 93 was illus- 
trated, but it. is also possible to generate the signature 
data for each of for example the content files CF-101, 
CF-102' and CF^qs and the key files KF-101, ^^^02^ 
KF-103 and store this in the secure container 104a. 
[1079] Further, in the eighth modification, the case 
where the signature data SIG26o,cp with respect to all 
of the content files CF^qi' ^^^102' ^^i03* ^^V f''®^ 
KF-101, KF^o2' and KF^qS' public key certificate data 
CERsp, signature data SIGgi esC' and price tag data 
31 2^, 3122, and 31 23 was generated in the service pro- 
vider 310 as shown in Fig. 95 was illustrated, but it is 
also possible to generate the signature data for each of 
them and store them in the secure container 304a. 
[1080] Further, in the eighth modification, the case 
where the secure container 304 stored a plurality of con- 
tent files CF^ 01 ' ^1^1 02' and CF^ 03 provided from the sin- 
gle service provider 310 in the single secure container 
304a and distributed it to the user home network 303 
was illustrated, but it is also possible to distribute a plu- 
rality of content files CF provided from a plurality of con- 
tent providers 301a and 301b in the single secure con- 
tainer and distribute the same to the user home network 
303 as shown in Fig. 81 . 



[1081] Note that, the format shown in Fig. 93 can be 
similarly applied to also the case where the secure con- 
tainer 104 is transmitted from the content provider 101 
to the user home network 1 03 shown in Fig. 1 in the first 

5 embodiment. 

[1082] Further, in the above embodiment, the case 
where the settlement processing was carried out based 
on the usage log data input from the SAM in the EMD 
service center was illustrated, but it is also possible to 

10 transmit the usage control status data from a SAM to 
the EMD service center whenever the purchase mode 
of the content is determined in the SAM and perform the 
settlement processing by using the received usage con- 
trol status data in the EMD service center. 

15 [1083] Below, the concept of the content file CF and 
the key file KF etc. generated in the content provider 
101 will be summarized. 

[1084] When the content provider 101 provides con- 
tent by using the Internet, as shown in Fig. 96, a content 

20 file CF containing a header, content ID, encrypted con- 
tent data C using the content key data Kc, and signature 
data is generated as shown in Fig. 96. After the usage 
control policy data indicating the handling of the related 
content data C and the content key data Kc are encrypt- 

25 ed by the distribution key data of the predetermined re- 
liable managers, that is, the EMD service centers 102 
and 302, they are stored in the key file KF. Further, the 
key file KF stores a header and the content ID and, ac- 
cording to need, the meta-data and the signature data. 

30 [1085] Then, the content file CF and key file KF are 
provided directly from the content provider 101 to the 
user home networks 103 and 303 or provided from the 
content provider 1 01 to the user home networks 1 03 and 
303 via the service provider 31 0. 

35 [1086] Further, when the content provider 101 pro- 
vides the content by using the Internet, as shown in Fig. 
97, it is possible even if the content key data Kc is not 
stored in the key file KF, but the content key data Kc 
encrypted by the distribution key data of the predeter- 

40 mined reliable managers, that is, the EMD service cent- 
ers 102 and 302, are provided from the EMD service 
centers 1 02 and 302 to the user home networks 1 03 and 
303. 

[1087] Further, when the content provider 101 pro- 
45 vides the content by using a digital broadcast, for exam- 
ple, as shown in Fig. 98, it provides the content data C 
encrypted by using the content key data Kc and the sig- 
nature data from the content provider 101 to the user 
home networks 103 and 303 directly or via the service 
50 provider 310. In this case, the key data blocks corre- 
sponding to the key file KF shown in Fig. 97 are provided 
from the content provider 1 01 to the user home networks 
1 03 and 303 directly or via the service provider 31 0. 
[1 088] Further, in this case, for example, as shown in 
55 Fig. 99, it is also possible to provide the content key data 
Kc encrypted by the distribution key data of the EMD 
service centers 102 and 302 as the predetermined reli- 
able managers from the EMD service centers 102 and 
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302 to the user home networks 103 and 303. 

CAPABILITY OF UTILIZATION IN INDUSTRY 

[1089] As explained above, according to the present 5 
invention, the profit of related parties of the data provid- 
ing apparatus is suitably protected. 
[1090] Also, according to the present invention, the 
illicit tampering with the usage control policy data etc. 
can be suitably avoided. io 
[1091] Further, according to the present invention, the 
load of the inspection for protecting the profit of the re- 
lated parties of the data providing apparatus can be re- 
duced. 



Claims 

1 . A data providing system for distributing content data 
from a data providing apparatus to a data process- 20 
ing apparatus, wherein 

said data providing apparatus distributes a 
module storing the content data encrypted by 
using content key data, encrypted content key 25 
data, and an encrypted usage control policy da- 
ta indicating handling of said content data to 
said data processing apparatus and 
said data processing apparatus decrypts said 
content key data and said usage control policy so 
data stored in said distributed module and de- 
termines the handling of said content data 
based on the related decrypted usage control 
policy data. 

35 

2. A data providing system as set forth in claim 1, 
wherein: 

said data providing apparatus distributes said 
module storing said content key data and said 40 
usage control policy data encrypted using dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
content key data and said usage control policy ^5 
data stored in said distributed module using 
said distribution key data. 

3. A data providing system as set forth in claim 2, fur- 
ther comprising a management apparatus for man- 50 
aging said distribution key data and distributing said 
distribution key data to said data providing appara- 
tus and said data processing apparatus. 

4. A data providing system as set forth in claim 1, 55 
wherein said data providing apparatus generates its 
own signature data for at least one of said content 
key data and said usage control policy and distrib- 



utes said module storing said generated signature 
data to said data processing apparatus. 

5. A data providing system as set forth in claim 4, 
wherein said data providing apparatus generates 
said signature data using its own secret key data 
and distributes said module storing public key data 
corresponding to said secret key data to said data 
processing apparatus. 

6. A data providing system as set forth in claim 5, 

further comprising a management apparatus 
for preparing public key certificate data certify- 
ing the legitimacy of said public key data, 
wherein 

said data providing apparatus distributes said 
module storing said public key certificate data 
to said data processing apparatus. 

7. A data providing system as set forth in claim 1, 
wherein said data providing apparatus distributes 

a first file storing said content data and 

a second file storing said content key data and 

said usage control policy 

to said data processing apparatus. 

8. A data providing system as set forth in claim 7, 
wherein said data providing apparatus generates 
signature data using its own secret key data for the 
first file and the second file and distributes said 
module storing said generated signature data to 
said data processing apparatus. 

9. A data providing system as set forth in claim 8, 
wherein said data processing apparatus distributes 
said module storing public key data corresponding 
to said secret key data to said data processing ap- 
paratus. 

10. A data providing system as set forth in claim 1, 
wherein said data providing apparatus performs 
mutual authentication with said data processing ap- 
paratus, encrypts said module using session key 
data obtained by said mutual authentication, and 
transmits said encrypted module to said data 
processing apparatus. 

11. A data providing system as set forth in claim 1, 
wherein said data providing apparatus generates a 
storage medium storing said module. 

12. A data providing system as set forth in claim 1, 
wherein said data processing apparatus deter- 
mines at least one of a purchase mode and usage 
mode of said content data based on said usage con- 
trol policy. 
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13. A data providing system as set fortli in claim 1, 
wherein said data processing apparatus outputs 
said decrypted content key data and said encrypted 
content data to a decryption apparatus. 

5 

14. A data providing system as set forth in claim 9, 
wherein said data processing apparatus verifies the 
legitimacy of signature data stored in said module 
using public key data stored in said module. 

10 

15. A data providing system as set forth in claim 3, 
wherein: 

said data processing apparatus determines at 
least one of a purchase mode and usage mode 15 
of distributed content data based on usage con- 
trol policy data and transmits log data indicating 
a log of at least said determined purchase 
mode and usage mode and 
said management apparatus performs profit 20 
distribution processing for distributing profit ob- 
tained accompanied with said purchase and 
said usage of said content data in said data 
processing apparatus to related parties of said 
data providing apparatus based on said re- 25 
ceived log data. 

16. A data providing system as set forth in claim 1, 
wherein said data processing apparatus is com- 
prised of a module making it difficult for the process- 30 
ing content, predetermined data stored in an inter- 
nal memory, and data being processed from being 
monitored and tampered with from the outside. 



data, content key data, and usage control policy 
data stored in said provided first module to said 
data processing apparatus, and 
said data processing apparatus decrypts said 
content key data and said usage control policy 
data stored in said distributed second module 
and determines the handling of said content da- 
ta based on the related decrypted usage control 
policy data. 

19. A data providing system as set forth in claim 18, 
wherein said data distribution apparatus distributes 

a module storing price data showing a price of said 
content data to said data processing apparatus. 

20. A data providing system as set forth in claim 18, 
wherein: 

said data providing apparatus provides said 
first module storing said content key data and 
said usage control policy data encrypted using 
distribution key data to said data distribution 

apparatus and 

said data processing apparatus decrypts said 
content key data and said usage control policy 
data stored in said distributed second module 
using said distribution key data. 

21 . A data providing system as set forth in claim 20, fur- 
ther comprising a management apparatus for man- 
aging said distribution key data and distributing said 
distribution key data to said data providing appara- 
tus and said data processing apparatus. 



17. A data processing apparatus utilizing content data 35 
distributed from a data providing apparatus, which 

receives a module storing content data en- 
crypted by using content key data, encrypted con- 
tent key data, and encrypted usage control policy 
data indicating the handling of said content data 40 
from said data providing apparatus, decrypts said 
content key data and said usage control policy data 
stored in the related received module, and deter- 
mines the handling of said content data based on 
the related decrypted usage control policy data. 45 

18. A data providing system comprising a data provid- 
ing apparatus, a data distribution apparatus, and a 
data processing apparatus, wherein 

50 

said data providing apparatus provides a first 
module storing content data encrypted by using 
content key data, encrypted content key data, 
and encrypted usage control policy data indi- 
cating the handling of said content data to said 55 
data distribution apparatus, 
said data distribution apparatus distributes a 
second module storing said encrypted content 



22. A data providing system as set forth in claim 20, 
wherein 

said data providing apparatus generates its 
own signature data for at least one of said con- 
tent key data and said usage control policy and 
provides said first module storing said generat- 
ed signature data and storing a third module en- 
crypted using said distribution key data to said 
data distribution apparatus and 
said data distribution apparatus stores said 
provided third module in said second module 
and distributes it to said data processing appa- 
ratus. 

23. A data providing system as set forth in claim 22, 
wherein said data providing apparatus generates 
said signature data using its own secret key data 
and provides said third module storing public key 
data corresponding to said secret key data to said 
data distribution apparatus. 

24. A data providing system as set forth in claim 23, 
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further comprising a management apparatus 
for preparing public key certificate data certify- 
ing the legitimacy of said public key data, 
wherein 

said data providing apparatus provides said 5 
first module storing said third module storing 
said public key certificate data to said data dis- 
tribution apparatus. 

25. A data providing system as set forth in claim 18, io 
wherein said data providing apparatus provides 

a first file storing said content data and 
a second file storing said content key data and 
said usage control policy 15 
to said data distribution apparatus. 

26. A data providing system as set forth in claim 25, 
wherein said data providing apparatus generates 
signature data using its own secret key data for the 20 
first file and the second file and provides said first 
module storing said generated signature data to 
said data distribution apparatus. 

27. A data providing system as set forth in claim 25, 25 

wherein said data processing apparatus provides 
said first module storing public key data corre- 
sponding to said secret key data to said data distri- 
bution apparatus. 

30 

28. A data providing system as set forth in claim 19, 
wherein said data distribution apparatus generates 
signature data using its own secret key data for said 
price data and stores said signature data in said 
second module. 35 

29. A data providing system as set forth in claim 28, 
wherein said data providing apparatus provides 
said second module storing public key data corre- 
sponding to its own secret key data to said data 40 
processing apparatus. 



sion key data obtained by said mutual authentica- 
tion, and transmits said encrypted second module 
to said data processing apparatus. 

33. A data providing system as set forth in claim 18, 
wherein said data providing apparatus generates a 
storage medium storing said module. 

34. A data providing system as set forth in claim 18, 
wherein said data processing apparatus deter- 
mines at least one of a purchase mode and usage 
mode of said content data based on said usage con- 
trol policy. 

35. A data providing system as set forth in claim 18, 
wherein said data processing apparatus outputs 
said decrypted content key data and said encrypted 
content data to a decryption apparatus. 

36. A data providing system as set forth in claim 29, 
wherein said data processing apparatus verifies the 
legitimacy of signature data stored in said second 
module using public key data stored in said second 
module. 

37. A data providing system as set forth in claim 21, 

wherein: 

said data processing apparatus determines at 
least one of a purchase mode and usage mode 
of distributed content data based on usage con- 
trol policy data and transmits log data indicating 
a log of at least said determined purchase 
mode and usage mode and 
said management apparatus performs profit 
distribution processing for distributing profit ob- 
tained accompanied with said purchase and 
said usage of said content data in said data 
processing apparatus to related parties of said 
data providing apparatus based on said re- 
ceived log data. 



30. A data providing system as set forth in claim 26, 
wherein said data distribution apparatus verifies the 
signature data of said first file and said second file ^5 
using public key data of said data providing appa- 
ratus. 

31. A data providing system as set forth in claim 25, 
wherein said data providing apparatus provides 50 
said first module storing link data showing a linkage 

of said first file and said second file to said data dis- 
tribution apparatus. 



38. A data providing system as set forth in claim 18, 
wherein said data processing apparatus is com- 
prised of a module making it difficult for the process- 
ing content, predetermined data stored in an inter- 
nal memory, and data being processed from being 
monitored and tampered with from the outside. 

39. A data providing system comprising a data provid- 
ing apparatus, at least a first data distribution appa- 
ratus and a second data distribution apparatus, and 
a data processing apparatus, wherein 



32. A data providing system as set forth in claim 18, 55 
wherein said data distribution apparatus performs 
mutual authentication with said data processing ap- 
paratus, encrypts said second module using ses- 



said data providing apparatus provides a first 
module storing content data encrypted by using 
content key data, encrypted content key data, 
and encrypted usage control policy data indi- 
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41. A data providing apparatus for distributing content 
data to a data processing apparatus for using the 
content data, whicli 

distributes a module storing content data en- 
5 crypted by using the content key data, encrypted 

content key data, and encrypted usage control pol- 
icy data indicating the handling of said content data 
to said data processing apparatus. 

10 42. A data providing apparatus as set forth in claim 41 
preparing said usage control policy and distributing 
said module storing said generated usage control 
policy to said data processing apparatus. 

15 43. A data providing apparatus as set forth in claim 41 , 
which distributes said module storing said content 
key data and said usage control policy data encrypt- 
ed using distribution key data to said data process- 
ing apparatus. 

20 

44. A data providing apparatus as set forth in claim 43, 
which encrypts said content key data Kc and said 

usage control policy data using said distribution key 
data issued by a predetermined authority manager. 

25 

45. A data providing apparatus as set forth in claim 41 , 
which generates its own signature data for at least 
one of said content data, content key data, and us- 
age control policy data and distributes said module 

30 storing said generated signature data to said data 
processing apparatus. 

46. A data providing apparatus as set forth in claim 45, 
which generates said signature data using its own 

35 secret key data and distributes said module storing 
public key data corresponding to said secret key da- 
ta to said data processing apparatus. 



eating the handling of said content data to said 
plurality of data distribution apparatuses, 
said first data distribution apparatus distributes 
the second module storing said encrypted con- 
tent data, content key data, and usage control 
policy data stored in said provided first module 
to said data processing apparatus, 
said second data distribution apparatus distrib- 
utes a third module storing said encrypted con- 
tent data, content key data, and usage control 
policy data stored in said provided first module 
to said data processing apparatus, and 
said data processing apparatus decrypts said 
content key data and said usage control policy 
data stored in said distributed second module 
and said third module and determines the han- 
dling of said content data based on the related 
decrypted usage control policy data. 

40. A data providing system comprising at least a first 
data providing apparatus and a second data provid- 
ing apparatus, a data distribution apparatus, and a 
data processing apparatus, wherein 

said first data providing apparatus provides a 

first module storing first content data encrypted 
by using first content key data, encrypted first 
content key data, and encrypted first usage 
control policy data indicating the handling of 
said first content data to said data distribution 
apparatus, 

said second data providing apparatus provides 
a second module storing second content data 
encrypted by using second content key data, 
encrypted second content key data, and en- 
crypted second usage control policy data indi- 
cating the handling of said second content data 
to said data distribution apparatus, 
said data distribution apparatus distributes a 
third module storing said encrypted first content 
data, said first content key data, and said first 
usage control policy data stored in said provid- 
ed first module and said encrypted second con- 
tent data, said second content key data, and 
said second usage control policy data stored in 
said provided second module to said data 
processing apparatus, and 
said data processing apparatus decrypts said 
first content key data and said first usage con- 
trol policy data stored in said distributed third 
module, determines the handling of said first 
content data based on the related decrypted 
first usage control policy data, decrypts said 
second content key data and said second us- 
age control policy data stored in said distributed 
third module, and determines the handling of 
said second content data based on the related 
decrypted second usage control policy data. 



47. A data providing apparatus as set forth in claim 46, 
40 which distributes said module storing public key 

certificate data certifying the legitimacy of said pub- 
lic key data to said data processing apparatus. 

48. A data providing apparatus as set forth in claim 41 , 
45 which distributes: 

a first file storing said content data and 
a second file storing said content key data and 
said usage control policy data 
50 to said data processing apparatus. 

49. A data providing apparatus as set forth in claim 48, 
which generates signature data using its own secret 
key data for said first file and said second file and 

55 distributes said module storing said generated sig- 
nature data to said data processing apparatus. 

50. A data providing apparatus as set forth in claim 49, 
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which distributes said module storing public key da- 
ta corresponding to said secret l<ey data to said data 
processing apparatus. 

51. A data providing apparatus as set forth in claim 41 , 
which performs mutual authentication with said da- 
ta processing apparatus, encrypts said module us- 
ing session key data obtained by said mutual au- 
thentication, and transmits said encrypted module 
to said data processing apparatus. 

52. A data providing apparatus as set forth in claim 41 , 
which generates a storage medium storing said 
module. 

53. A data providing apparatus as set forth in claim 41 , 
which defines said module by an application layer. 

54. A data providing apparatus as set forth in claim 53, 
which uses a presentation layer and transport layer 
under said application layer as distribution protocol 
for distributing said module to said data processing 
apparatus. 

55. A data providing apparatus as set forth in claim 41 , 

which defines said module by a format not depend- 
ent on a medium for distributing said module to said 
data processing apparatus. 

56. A data providing method for distributing data from 
a data providing apparatus to a data processing ap- 
paratus, comprising the steps of: 

distributing a module storing content data en- 
crypted by using content key data, encrypted 
content key data, and encrypted usage control 
policy data indicating the handling of said con- 
tent data from said data providing apparatus to 
said data processing apparatus and 
decrypting said content key data and said us- 
age control policy data stored in said distributed 
module and determining the handling of said 
content data based on the related decrypted 
usage control policy data at said data process- 
ing apparatus. 

57. A data providing method as set forth in claim 56, 
further comprising the steps of: 

distributing said module storing said content 
key data and said usage control policy data en- 
crypted using distribution key data from said 
data providing apparatus to said data process- 
ing apparatus and 

decrypting said content key data and said us- 
age control policy stored in said distributed 
module using said distribution key data. 



58. A data providing method using a data providing ap- 
paratus, data distribution apparatus, and data 
processing apparatus, comprising the steps of: 

5 providing a first module storing content data en- 

crypted by using content key data, encrypted 
content key data, and encrypted usage control 
policy data indicating the handling of said con- 
tent data from said data providing apparatus to 

10 said data distribution apparatus, 

distributing a second module storing said en- 
crypted content data, content key data, and us- 
age control policy data stored in said provided 
first module from said data distribution appara- 

15 tus to said data processing apparatus, and 

decrypting said content key data and said us- 
age control policy data stored in said distributed 
second module and determining the handling 
of said content data based on the related de- 

20 crypted usage control policy data at said data 

processing apparatus. 

59. A data providing method as set forth in claim 58, 
which distributes said second module storing price 

25 data showing a price of said content data from said 
data distribution apparatus to said data processing 

apparatus. 

60. A data providing method using a data providing ap- 
30 paratus, at least a first data distribution apparatus 

and second data distribution apparatus, and a data 
processing apparatus, comprising the steps of: 

providing a first module storing content data en- 
35 crypted by using content key data, encrypted 

content key data, and encrypted usage control 
policy data indicating the handling of said con- 
tent data from said data providing apparatus to 
said data distribution apparatuses, 
40 distributing a second module storing said en- 

crypted content data, content key data, and us- 
age control policy data stored in said provided 
first module from said first data distribution ap- 
paratus to said data processing apparatus, 
45 distributing a third module storing said encrypt- 

ed content data, content key data, and usage 
control policy data stored in said provided first 
module from said second data distribution ap- 
paratus to said data processing apparatus, and 
50 decrypting said content key data and said us- 

age control policy data stored in said distributed 
second module and said third module and de- 
termining the handling of said content data 
based on the related decrypted usage control 
55 policy data at said data processing apparatus. 

61. A data providing method using at least a first data 
providing apparatus and second data providing ap- 
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paratus, a data distribution apparatus, and a data 
processing apparatus, comprising the steps of: 

providing a first module storing first content da- 
ta encrypted by using first content key data, en- 5 
crypted first content key data, and encrypted 
first usage control policy data indicating the 
handling of said first content data from said first 
data providing apparatus to said data distribu- 
tion apparatus, 10 
providing a second module storing second con- 
tent data encrypted by using second content 
key data, encrypted second content key data, 
and encrypted second usage control policy da- 
ta indicating the handling of said second con- ^5 
tent data from said second data providing ap- 
paratus to said data distribution apparatus, 
distributing a third module storing said encrypt- 
ed first content data, said first content key data, 
and said first usage control policy data stored 20 
in said provided first module and said encrypted 
second content data, said second content key 
data, and said second usage control policy data 
stored in said provided second module from 
said data distribution apparatus to said data 25 
processing apparatus, and 
decrypting said first content key data and said 
first usage control policy data stored in said dis- 
tributed third module, determining the handling 
of said first content data based on the related so 
decrypted first usage control policy data, de- 
crypting said second content key data and said 
second usage control policy data stored in said 
distributed third module, and determining the 
handling of said second content data based on 35 
the related decrypted second usage control 
policy data at said data processing apparatus 

62. A data providing method for distributing content da- 
ta to a data processing apparatus using said con- 40 
tent data, which 

distributes a module storing content data en- 
crypted using content key data, said encrypted con- 
tent key data, and encrypted usage control policy 
data showing the handling of said content data. ^5 

63. A data providing method as set forth in claim 62, 
which distributes said module storing said content 
key data and said usage control policy data encrypt- 
ed using distribution key data to said data process- 50 
ing apparatus. 

64. A data providing method as set forth in claim 62, 
which generates its own signature data for at least 
one of said content data, said content key data, and 55 
said usage control policy data and distributes said 
module storing said generated signature data to 
said data processing apparatus. 
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65. A data providing method as set forth in claim 64, 
which generates said signature data using its own 
secret key data and distributes said module storing 
public key data corresponding to said secret key da- 
ta to said data processing apparatus. 

66. A data providing method as set forth in claim 65, 
which distributes said module storing public key 
certificate data certifying the legitimacy of said pub- 
lic key data to said data processing apparatus. 

67. A data providing method as set forth in claim 62, 
which distributes: 

a first file storing said content data and 

a second file storing said content key data and 

said usage control policy data 

to said data processing apparatus. 

68. A data providing method as set forth in claim 67, 
which generates signature data using its own secret 
key data for said first file and said second file and 
stores said generated signature data. 

69. A data providing method as set forth in claim 68, 

which distributes a module storing public key data 
corresponding to said secret key data to said data 
processing apparatus. 

70. A data providing method as set forth in claim 62, 
which performs mutual authentication with said da- 
ta processing apparatus, encrypts said module us- 
ing session key data obtained by said mutual au- 
thentication, and transmits said encrypted module 
to said data processing apparatus. 

71. A data providing method as set forth in claim 62, 
which generates a storage medium storing said 
module. 

72. A data providing system comprising a data provid- 
ing apparatus, data processing apparatus, and 
management apparatus, wherein 

said data providing apparatus distributes con- 
tent data and usage control policy data indicat- 
ing the handling of the related content data to 
said data processing apparatus and requests 
to said management apparatus to certify legit- 
imacy of said usage control policy data, 
said data processing apparatus uses said dis- 
tributed content data based on said distributed 
usage control policy data, and 
said management apparatus manages said da- 
ta providing apparatus and said data process- 
ing apparatus and certifies the legitimacy of 
said usage control policy data in response to a 
request from said data providing apparatus. 
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73. A data providing system as set forth in claim 72, 
wherein said data providing apparatus makes said 
request by transmitting to said management appa- 
ratus a module storing said usage control policy da- 
ta, its own identifier, and signature data generated 
using its own secret key data for at least said usage 
control policy data. 

74. A data providing system as set forth in claim 73, 
wherein 

said management apparatus distributes public 
key certificate data for certifying the legitimacy 
of the public key data corresponding to said se- 
cret key data of said data providing apparatus 
to said data providing apparatus together with 
the signature data generated by using its own 
secret key data, and 

said data providing apparatus makes a request 
by transmitting a module storing said public key 
certificate data, said usage control policy data, 
its own identifier, and said signature data to 
said management apparatus. 

75. A data providing system as set forth In claim 72, 
wherein: 

said management apparatus manages distri- 
bution key data, distributes the related distribu- 
tion key data to said data processing appara- 
tus, generates signature data generated by us- 
ing its own secret key data with respect to said 
usage control policy data in response to a re- 
quest from said data providing apparatus, en- 
crypts a module storing the related generated 
signature data and said usage control policy 
data by using said distribution key data, and 
transmits the same to said data providing ap- 
paratus, 

said data providing apparatus distributes a 
module received from said management appa- 
ratus to said data processing apparatus, and 
said data processing apparatus decrypts said 
module received from said data providing ap- 
paratus by using said distribution key data, ver- 
ifies the legitimacy of said signature data stored 
in the related module by using the public key 
data of said management apparatus, and uses 
said distributed content data based on the us- 
age control policy data stored in said module 
when it decides it is legitimate. 

76. A data providing system as set forth in claim 72, 
wherein: 

said data processing apparatus determines at 
least one of a purchase mode and usage mode 
of distributed content data based on usage con- 



trol policy data and transmits log data indicating 
a log of at least said determined purchase 
mode and usage mode and 
said management apparatus performs profit 

5 distribution processing for distributing profit ob- 

tained accompanied with said purchase and 
said usage of said content data in said data 
processing apparatus to related parties of said 
data providing apparatus based on said re- 

10 ceived log data. 

77. A data providing system comprising a data provid- 
ing apparatus, data processing apparatus, and 
management apparatus, wherein 

15 

said data providing apparatus encrypts content 
data by using content key data, distributes the 
related encrypted content data to said data 
processing apparatus, and requests to said 
20 management apparatus to certify the legitima- 

cy of said content key data, 
said data processing apparatus decrypts said 
distributed content data by using said content 
key data and uses the related decrypted con- 
25 tent data, and 

said management apparatus manages said da- 
ta providing apparatus and said data process- 
ing apparatus and certifies the legitimacy of 
said content key data in response to a request 
30 from said data providing apparatus. 

78. A data providing system as set forth in claim 77, 
wherein said data providing apparatus distributes a 
module storing said content data and said content 

35 key data to said data processing apparatus. 

79. A management apparatus for managing a data pro- 
viding apparatus for distributing content data and 

usage control policy data indicating the handling of 
40 the related content data and a data processing ap- 
paratus for using said distributed content data 
based on said distributed usage control policy data, 
which 

certifies the legitimacy of said usage control 
45 policy data in response to a request from said data 
providing apparatus. 

80. A data providing system as set forth in claim 79, 
which manages public key data corresponding to 

50 secret key data of said data providing apparatus 
when receiving from said data providing apparatus 
said request using a module storing said usage con- 
trol policy data, an identifier of said data providing 
apparatus, and signature data generated using se- 
55 cret key data of said data providing apparatus for at 
least said usage control policy data. 

81. A data providing system as set forth in claim 80, 
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which transmits public key certificate data certifying 
the legitimacy of said public key data to said data 
providing apparatus. 

82. A management apparatus for managing a data pro- 
viding apparatus for distributing content data and 
usage control policy data indicating the handling of 
the related content data encrypted using content 
key data and a data processing apparatus for using 
said distributed content data afer decrypting said 
distributed content data using said content key data 
based on said distributed usage control policy data, 
which 

certifies the legitimacy of said content key da- 
ta in response to a request from said data providing 
apparatus. 

83. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus provides content 
data and usage control policy data indicating 
the handling of the related content data to said 
data distribution apparatus and requests to said 
management apparatus to certify the legitima- 
cy of said usage control policy data, 
said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus, 
said data processing apparatus uses said dis- 
tributed content data based on said distributed 
usage control policy data, and 
said management apparatus manages said da- 
ta providing apparatus and said data process- 
ing apparatus and certifies the legitimacy of 
said usage control policy data in response to a 
request from said data providing apparatus. 

84. A data providing system as set forth in claim 83, 
wherein said data providing apparatus makes said 
request by transmitting to said management appa- 
ratus a module storing an identifier of said content 
data, said usage control policy data, and signature 
data generated using its own secret key data for at 
least said usage control policy data. 

85. A data providing system as set forth in claim 84, 
wherein said management apparatus distributes 
public key certificate data certifying the legitimacy 
of public key data corresponding to said secret key 
data of said data providing apparatus together with 
signature data generated using its own secret key 
data to said data providing apparatus. 

86. A data providing system as set forth in claim 84, 
wherein said 
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said management apparatus manages distri- 
bution key data, distributes the related distribu- 
tion key data to said data processing appara- 
tus, generates signature data generated by us- 
ing its own secret key data with respect to said 
usage control policy data in response to a re- 
quest from said data providing apparatus, en- 
crypts a module storing the related generated 
signature data and said usage control policy 
data by using said distribution key data, and 
transmits the same to said data providing ap- 
paratus, 

said data providing apparatus distributes a 
module received from said management appa- 
ratus to said data distribution apparatus, and 
said data processing apparatus decrypts said 
module distributed said data distribution appa- 
ratus, verifies the legitimacy of said signature 
data stored in the related module by using the 
public key data of said management apparatus, 
and uses said distributed content data based 
on the usage control policy data stored in said 
module when it decides it is legitimate. 

87. A data providing system as set forth in claim 83, 
wherein: 

said data distribution apparatus distributes 
price data indicating the price of said distributed 
content data to said data processing apparatus 
and 

said management apparatus certifies the legit- 
imacy of said price data in response to a re- 
quest from said data distribution apparatus. 



35 



88. A data providing system as set forth in claim 83, 
wherein 

said data processing apparatus determines at 
40 least one of a purchase mode and usage mode 

of distributed content data based on said usage 
control policy data and transmits log data indi- 
cating a log of at least said determined pur- 
chase mode and usage mode to said manage- 
45 ment apparatus and 

said management apparatus performs profit 
distribution processing for distributing profit ob- 
tained accompanied with said purchase and 
said usage of said content data in said data 
50 processing apparatus to related parties of said 

data providing apparatus and said data distri- 
bution apparatus based on said received log 
data. 

55 89. A data providing system as set forth in claim 83, 
wherein 

said data processing apparatus has a first mod- 
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ule communicating witli said data distribution 
apparatus and a second module determining at 
least one of a purchase mode and usage mode 
of distributed content data based on said dis- 
tributed usage control policy data and transmit- 
ting log data indicating a log of at least said de- 
termined purchase mode and usage mode to 
said management apparatus and 
said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and per- 
forms profit distribution processing for distribut- 
ing profit obtained accompanied with said data 
processing apparatus receiving distribution of 
said content data and purchasing and using 
said content data to related parties of said data 
providing apparatus and said data distribution 
apparatus based on said received log data re- 
ceived from said second module. 

90. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus encrypts content 
data by using content key data, provides relat- 
ed encrypted content data, and usage control 
policy data indicating the handling of the related 
content data to said data distribution appara- 
tus, and requests to said management appara- 
tus to certify the legitimacy of said content key 
data, 

said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus, 
said data processing apparatus uses said con- 
tent data containing the decryption of said con- 
tent data using said content key data based on 
said distributed usage control policy data, and 
said management apparatus manages said da- 
ta providing apparatus and said data process- 
ing apparatus and certifies the legitimacy of 
said content key data in response to a request 
from said data providing apparatus. 

91. A data providing system as set forth in claim 90, 
wherein said data providing apparatus encrypts 
said content key data and provides a module storing 
said encrypted content key data and encrypted con- 
tent data to said data distribution apparatus. 

92. A management apparatus for managing a data pro- 
viding apparatus for providing content data and us- 
age control policy data indicating the handling of the 
related content data, a data distribution apparatus 
for distributing said provided content data and said 
usage control policy data, and a data processing 



apparatus for using said distributed content data 
based on said distributed usage control policy data, 
which 

certifies the legitimacy of said usage control 
5 policy data in response to a request from said data 
providing apparatus. 

93. A management apparatus as set forth in claim 92, 
which certifies the legitimacy of said content key da- 
10 ta in response to a request from said data providing 
apparatus when encrypting said content data using 
content key data and providing it from said data pro- 
viding apparatus to said data distribution apparatus. 

15 94. A management apparatus as set forth in claim 92, 
which certifies the legitimacy of said price data in 
response to a request from said data distribution ap- 
paratus when distributing said price data from said 
data distribution apparatus to said data processing 
20 apparatus together with said content data and said 
usage control policy data. 

95. A data providing method using a data providing ap- 
paratus, data processing apparatus, and manage- 
rs ment apparatus, comprising the steps of: 

distributing content data and usage control pol- 
icy data indicating the handling of the related 
content data from said data providing appara- 
30 tus to said data processing apparatus and 

using said distributed content data based on 
said distributed usage control policy data at 
said data processing apparatus, and 
certifying the legitimacy of said usage control 
35 policy data in said management apparatus in 

response to a request from said data providing 
apparatus. 

96. A data providing method using a data providing ap- 
40 paratus, data processing apparatus, and manage- 
ment apparatus, comprising the steps of: 

distributing content data encrypted by using 
content key data from said data providing ap- 
45 paratus to said data processing apparatus, 

decrypting said distributed content data by us- 
ing said content key data at said data process- 
ing apparatus, and 

certifying the legitimacy of said content key da- 
50 ta in said management apparatus in response 

to a request from said data providing appara- 
tus. 

97. A data providing method using a data providing ap- 
55 paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus, com- 
prising the steps of: 
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providing content data and usage control policy 
data indicating the handling of the related con- 
tent data from said data providing apparatus to 
said data distribution apparatus, 
distributing said provided content data and said 5 
usage control policy data from said data distri- 
bution apparatus to said data processing appa- 
ratus, 

using said distributed content data based on 
said distributed usage control policy data at io 
said data processing apparatus, and 
certifying the legitimacy of said usage control 
policy data in said management apparatus in 
response to a request from said data providing 
apparatus. 15 



98. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus, com- 
prising the steps of: 20 



ing apparatus and performs profit distribution 
processing for distributing the profit obtained 
accompanied with said purchase and said us- 
age of said content data in said data processing 
apparatus to related parties of said data provid- 
ing apparatus based on received log data. 

100. A data providing system as set forth in claim 99, 
wherein 

said data providing apparatus encrypts said 
content data using predetermined key data and 
distributes it to said data processing apparatus, 
said data processing apparatus decrypts said 
received content data using said key data, and 
said management apparatus manages said 
key data. 

101. A data providing system as set forth in claim 99, 
wherein 



providing content data encrypted by using con- 
tent key data and usage control policy data in- 
dicating the handling of the related content data 
from said data providing apparatus to said data 25 

distribution apparatus, 

distributing said content data and said usage 
control policy data provided from said data dis- 
tribution apparatus to said data processing ap- 
paratus to said data processing apparatus, so 
using said content data containing the decryp- 
tion of said content data using said content key 
data based on said distributed usage control 
policy data in said data processing apparatus, 
and 35 
certifying the legitimacy of said content key da- 
ta in said management apparatus in response 
to a request from said data providing appara- 
tus. 



99. A data providing system comprising a data provid- 
ing apparatus, data processing apparatus, and 
management apparatus, wherein 



said data providing apparatus generates pre- 
determined key data and registers said gener- 
ated key data to said management apparatus, 
said management apparatus manages said 
registered key data and transmits correspond- 
ing key data to said data processing apparatus 
when processing for purchasing of content data 
is performed in said data processing apparatus, 
and 

said data processing apparatus decrypts said 
received content data using said received key 
data. 

102. A data providing system as set forth in claim 100, 
wherein said data providing apparatus encrypts 
said key data and distributes a module storing said 
encrypted key data, encrypted content data, and 
said usage control policy data to said data process- 
ing apparatus. 

103. A data providing system as set forth in claim 102, 
wherein 



said data providing apparatus distributes con- ^5 
tent data and usage control policy data indicat- 
ing the handling of the related content data to 
said data processing apparatus, 
said data processing apparatus determines at 
least one of a purchase mode and a usage 50 
mode of said distributed content data based on 
said distributed usage control policy data and 
transmits log data indicating the log of at least 
one of the related determined purchase mode 
and usage mode to said management appara- 55 
tus, and 

said management apparatus manages said da- 
ta providing apparatus and said data process- 



said management apparatus manages distri- 
bution key data and distributes said distribution 
key data to said data providing apparatus and 
said data processing apparatus, 
said data providing apparatus encrypts said 
key data and said usage control policy data us- 
ing said distributed distribution key data, and 
said data processing apparatus decrypts said 
key data and said usage control policy data us- 
ing said distributed distribution key data. 

104.A data providing system as set forth in claim 103, 
wherein said management apparatus distributes a 
plurality of distribution key data having predeter- 
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mined terms of validity to said data providing appa- 
ratus and said data processing apparatus for exact- 
ly a predetermined period. 

105. A data providing system as set forth in claim 102, 5 
wlierein 

said data providing apparatus generates signa- 
ture data for at least one of said encrypted con- 
tent data and usage control policy data using io 
its own secret key data and distributes a mod- 
ule storing said encrypted content data, said 
encrypted key data, said encrypted usage con- 
trol policy data, and said signature data to said 
data processing apparatus, ^5 
said data processing apparatus verifies said 
signature data stored in said distributed module 
using public key data corresponding to said se- 
cret key data, and 

said management apparatus manages said 20 
public key data. 

106. A data providing system as set forth in claim 105, 
wherein said data providing apparatus distributes 
said module storing public key data corresponding 25 
to its own secret key data to said data processing 

apparatus. 

107. A data providing system as set forth in claim 105, 
wherein said management apparatus distributes 30 
said module storing public key data corresponding 

to said secret key data of said data providing appa- 
ratus to said data processing apparatus. 

108. A data providing system as set forth in claim 99, 35 
wherein 

said management apparatus distributes distri- 
bution key data to said data providing appara- 
tus and said data processing apparatus, 40 
said data providing apparatus encrypts said us- 
age control policy using said distribution key 
data and distributes it to said data processing 
apparatus, and 

said data processing apparatus decrypts said 45 
received usage control policy data using said 
distribution key data. 

109. A data providing system as set forth in claim 100, 
wherein said management apparatus authenticates 50 
the legitimacy of at least one of said usage control 
policy data and said key data. 

110. A data providing system as set forth in claim 99, 
wherein said management apparatus generates 55 
settlement claim data used when claiming settle- 
ment processing in accordance with said profit dis- 
tribution processing, adds signature data based on 



its own secret key data to said settlement claim da- 
ta, and transmits it to an apparatus performing said 
settlement processing or said data providing appa- 
ratus. 

111. A data providing system as set forth in claim 99, 
wherein said management apparatus performs 
processing for registration of said data processing 
apparatus, manages said registered data process- 
ing apparatus, and performs profit distribution 
processing based on said log data received from 
said registered data processing apparatus. 

112. A data providing system as set forth in claim 99, 
wherein said data processing apparatus deter- 
mines a purchase mode of said distributed content 
data based on said usage control policy data, gen- 
erates usage control status data in accordance with 
said determined purchase mode, and controls us- 
age of said distributed content data based on said 
usage control status data. 

113. A data providing system as set forth in claim 99, 
wherein said data processing apparatus is com- 
prised of a module making it difficult for the process- 
ing content, predetermined data stored in an inter- 
nal memory, and data being processed from being 
monitored and tampered with from the outside. 

114. A management apparatus for managing a data pro- 
viding apparatus for distributing content data and 
usage control policy data indicating the handling of 
said content data and a data processing apparatus 
for determining at least one of a purchase mode and 
usage mode of said distributed content data based 
on said distributed usage control policy data and 
generating log data showing a log of at least one of 
said determined purchase mode and usage mode, 
which 

receives said log data from said data process- 
ing apparatus and performs profit distribution 
processing for distributing the profit accompanied 
with said purchase and said usage of said content 
data in said data processing apparatus to related 
parties of said data providing apparatus based on 
said received log data. 

1 1 5. A management apparatus as set forth in claim 113, 
which manages key data when distributing content 
data encrypted using predetermined key data from 
said data providing apparatus to said data process- 
ing apparatus. 

1 1 6. A management apparatus as set forth in claim 1 1 4, 
which authenticates the legitimacy of at least one 
of said usage control policy data and key data used 
when decrypting said content data. 
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1 1 7. A data providing apparatus for receiving distribution 
of content data and usage control policy data indi- 
cating the liandling of the related content data from 
a data providing apparatus and transmitting log da- 
ta to a management apparatus for performing profit 
distribution processing for distributing the profit ob- 
tained accompanied with the purchase and usage 
of the related distributed content data to related par- 
ties of said data providing apparatus based on pre- 
determined log data, which 

determines at least one of a purchase mode 
and usage mode of said distributed content data 
based on said distributed usage control policy data 
and transmits said log data indicating the log of the 
determined designation mode and usage mode to 
said management apparatus. 

1 1 8. A data providing apparatus as set forth in claim 1 1 7, 
which receives said key data from said data provid- 
ing apparatus when said content data is encrypted 
using predetermined key data. 

119. A data processing apparatus as set forth in claim 
117, comprised of a module making it difficult for the 
processing content, predetermined data stored in 
an internal memory, and data being processed from 
being monitored and tampered with from the out- 
side. 

120. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus provides content 
data and usage control policy data indicating 
the handling of the related content data to said 
data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus, 
said data processing apparatus has a first mod- 
ule for communicating with said data distribu- 
tion apparatus and a second module for deter- 
mining at least one of a purchase mode and us- 
age mode of said distributed content data 
based on said distributed usage control policy 
data and transmitting log data indicating the log 
of the related determined purchase mode and 
usage mode to said management apparatus, 
and 

said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and per- 
forms profit distribution processing for distribut- 
ing the profit obtained accompanied with said 
data processing apparatus receiving said dis- 
tribution of said content data and purchasing 



and using said content data to related parties 
of said data providing apparatus and said data 
distribution apparatus based on said log data 
received from said second module. 

121. A data providing system as set forth in claim 120, 
wherein said data providing apparatus encrypts 
said content data using content key data and pro- 
vides it to said data distribution apparatus. 

122. A data providing system as set forth in claim 120, 
wherein said data distribution apparatus generates 
price data showing the price of said distributed con- 
tent data and distributes said price data to said data 
processing apparatus. 

123. A data providing system as set forth in claim 120, 
wherein 

said data providing apparatus encrypts said 
content key data and said usage control policy 
by using distribution key data and provides it to 
said data distribution apparatus, 
said data processing apparatus decrypts said 
content key data and said usage control policy 
using said distribution key data, and 
said management apparatus manages said 
distribution key data and distributes said distri- 
bution key data to said data providing appara- 
tus and said data processing apparatus. 

124. A data providing system as set forth in claim 123, 
wherein 

said data providing apparatus generates first 
signature data for at least one of said encrypted 
content data, said encrypted content key data, 
and said encrypted usage control policy data 
using its own first secret key data and provides 
a first module storing said encrypted content 
data, said encrypted key data, said encrypted 
usage control policy data, and said first signa- 
ture data to said data distribution apparatus, 
said data distribution apparatus verifies said 
first signature data using first public key data 
corresponding to said first secret key data, then 
stores second signature data generated using 
its own second secret key data in said first mod- 
ule to generate a second module and distrib- 
utes said second module to said data process- 
ing apparatus, 

said data processing apparatus verifies said 
first signature data stored in said distributed 
second module using said first public key data 
and verifies said second signature data stored 
in said distributed second module using second 
public key data corresponding to said second 
secret key data, and 
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said management apparatus manages said 
first public key data and said second public l<ey 
data. 

125. A data providing system as set fortli in claim 124, 5 
wherein 

said data providing apparatus provides said 
first module storing said first public key data to 
said data distribution apparatus and io 
said data distribution apparatus distributes said 
second module storing said first public key data 
and said second public key data to said data 
processing apparatus. 

15 

126. A data providing system as set forth in claim 124, 
wherein said management apparatus distributes 

said first public key data and said second public key 
data to said data processing apparatus. 

20 

127. A data providing system as set forth in claim 120, 
wherein 



128. A data providing system as set forth in claim 120, 
wherein said data distribution apparatus distributes 

to said data processing apparatus a module storing 35 
said provided encrypted content data, said provided 
usage control policy data, said key data encrypting 
said content data, and price data showing the price 
of said distributed content data. 

40 

129. A data providing system as set forth in claim 120, 
wherein said management apparatus performs 
profit distribution processing for distributing profit 
obtained accompanied with said data processing 
apparatus receiving distribution of said content data ^5 
and purchasing and using said content data to re- 
lated parties of said data providing apparatus and 
said data distribution apparatus, generates settle- 
ment claim data to be used when claiming settle- 
ment, add its own signature data to said settlement 50 
claim data, and transmits this to an apparatus for 
performing said settlement processing. 

130. A data providing system as set forth in claim 129, 
wherein said management apparatus transmits set- 55 
tiement report data showing the results of said profit 
distribution processing to at least one of said data 
providing apparatus and said data distribution ap- 



paratus. 

131. A data providing system as set forth in claim 120, 
wherein said management apparatus performs 
profit distribution processing for distributing profit 
obtained accompanied with said data processing 
apparatus receiving distribution of said content data 
and purchasing and using said content data to re- 
lated parties of said data providing apparatus and 
said data distribution apparatus, generates settle- 
ment claim data to be used when claiming settle- 
ment, adds its own signature data to said settlement 
claim data, and transmits this to at least one of said 
data providing apparatus and said service providing 
apparatus. 

132. A data providing system as set forth in claim 120, 
wherein said management apparatus performs 
processing for registration of said data processing 
apparatus, manages said registered data process- 
ing apparatus, and performs said profit distribution 
processing based on said log data received from 
said registered data processing apparatus. 

133. A data providing system as set forth in claim 120, 
wherein said data processing apparatus deter- 
mines at least one of a purchase mode and usage 
mode of said distributed content data based on said 
usage control policy data, generates usage control 
status data in accordance with said determined pur- 
chase mode and usage mode, and controls usage 
of said distributed content data based on said usage 
control status data. 

134. A data providing system as set forth in claim 120, 
wherein said second module of said data process- 
ing apparatus is a module making it difficult for the 
processing content, predetermined data stored in 
an internal memory, and data being processed from 
being monitored and tampered with from the out- 
side. 

135. A management apparatus for managing a data pro- 
viding apparatus for providing content data and us- 
age control policy data indicating the handling of the 
related content data, a data distribution apparatus 
for distributing said provided content data and said 
usage control policy data, and a data processing 
apparatus for determining at least one of a pur- 
chase mode and usage mode of said distributed 
content data based on said distributed usage con- 
trol policy data and creating log data indicating the 
log of at least one of the related determined pur- 
chase mode and usage mode, which 

performs profit distribution processing for dis- 
tributing the profit obtained accompanied with said 
data processing apparatus receiving said distribu- 
tion of said content data and purchasing and using 



said data distribution apparatus distributes 
price data showing the price of said distributed 25 
content data to said data processing apparatus 

and 

said management apparatus authenticates the 
legitimacy of the data of at least one of key data 
used when encrypting said content data and 30 
said price data. 
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said content data to related parties of said data pro- 
viding apparatus and said data distribution appara- 
tus based on said received log data. 

1 36. A management apparatus as set forth in claim 1 35, 
which manages said key data when distributing said 
content data encrypted using predetermined con- 
tent key data from said data providing apparatus to 
said data processing apparatus. 

1 37. A management apparatus as set forth in claim 1 36, 
which authenticates the legitimacy of at least one 
of said usage control policy data and said content 
key data. 

138. A data processing apparatus for receiving distribu- 
tion of content data and usage control policy data 
from a data distribution apparatus receiving the pro- 
vision of content data and usage control policy data 
indicating the handling of the related content data 
from a data providing apparatus and transmitting 
log data to a management apparatus for performing 
profit distribution processing for distributing the 
profit obtained accompanied with the purchase and 
usage of said distributed content data to related par- 
ties of said data providing apparatus and said data 
distribution apparatus based on predetermined log 
data, which has 

a first module for communicating with said data 
distribution apparatus and 
a second module for determining at least one 
of a purchase mode and usage mode of said 
distributed content data based on said distrib- 
uted usage control policy data and transmitting 
log data indicating the log of the related deter- 
mined purchase mode and usage mode to said 
management apparatus. 

139. A data processing apparatus as set forth in claim 
138, which is a module making it difficult for the 
processing content, predetermined data stored in 
an internal memory, and data being processed from 
being monitored and tampered with from the out- 
side. 

140. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus provides content 
data and usage control policy data indicating 
the handling of the related content data to said 
data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus 



and performs charge processing concerning 
the distribution of said content data based on a 
data distribution apparatus use purchase log 
data received from said data processing appa- 
5 ratus, 

said data processing apparatus has a first mod- 
ule for creating the data distribution apparatus 
use purchase log data indicating the log of the 
purchase of said content data distributed from 
said data distribution apparatus and transmit- 
ting the same to said data distribution appara- 
tus and a second module for determining at 
least one of the purchase mode and the usage 
mode of said distributed content data based on 
said distributed usage control policy data and 
transmitting a management apparatus use log 
data indicating the log of the related determined 
purchase mode and usage mode to said man- 
agement apparatus, and 
said management apparatus performs profit 
distribution processing for distributing the profit 
obtained accompanied with said purchase and 
said usage of said content data in said data 
processing apparatus to related parties of said 
data providing apparatus and said data distri- 
bution apparatus based on said management 
apparatus use log data. 

141 .A data processing apparatus for receiving the dis- 
tribution of content data and usage control policy 
data indicating the handling of the related content 
data from a data providing apparatus via a data dis- 
tribution apparatus and transmitting said log data to 
a management apparatus for performing profit dis- 
tribution processing for distributing the profit ob- 
tained accompanied with the purchase and usage 
of the related distributed content data to related par- 
ties of said data providing apparatus and said data 
distribution apparatus based on said management 
apparatus use log data, said data processing appa- 
ratus comprising, 

a first module for creating data distribution ap- 
paratus use purchase log data indicating the 
log of the purchase of said content data distrib- 
uted from said data distribution apparatus and 
transmitting the same to said data distribution 
apparatus and 

a second module for determining at least one 
of a purchase mode and usage mode of said 
distributed content data based on said distrib- 
uted usage control policy data and transmitting 
said management apparatus use log data indi- 
cating the log of the related determined pur- 
chase mode and usage mode to said manage- 
ment apparatus. 

142.A data providing system comprising a data provid- 
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ing apparatus, data distribution apparatus, data 
processing apparatus, and a management appara- 
tus, wlierein: 

said data providing apparatus provides the con- 
tent data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 

apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages opera- 
tion of a data providing service by said data pro- 
viding apparatus, said data distribution appara- 
tus, and said data processing apparatus. 

143. A data providing system as set fortli in claim 142, 
wherein: 

said data providing apparatus provides usage 
control policy data indicating the handling of 
said content data to said data distribution ap- 
paratus, 

said data distribution apparatus distributes said 
provided content data and usage control policy 
data to said data processing apparatus, 
said data processing apparatus uses said dis- 
tributed content data based on said distributed 
usage control policy data, and 
said management apparatus plays the role of 
a sub-certificate authority present hierarchical- 
ly under a route certificate authority, generates 
and manages public key certificate data to be 
used when certifying the legitimacy of public 
key data corresponding to secret key data to be 
used at said registered data providing appara- 
tus, data distribution apparatus, and data 
processing apparatus, authenticates said us- 
age control policy data, and performs right 
processing relating to said content data. 

144. A data providing system as set forth in claim 143, 
wherein 

said data providing apparatus encrypts using 
said key data and provides the result to said 
data distribution apparatus and 
said management apparatus manages said 
key data. 

145. A data providing system as set forth in claim 143, 
wherein 

each of said data providing apparatus and said 
data distribution apparatus generates its own 
secret key data to be used for authentication 

with another apparatus, manages said gener- 
ated secret key data, generates public key data 



corresponding to said secret key data, and reg- 
isters said public key data, identification card, 
and settlement account to said management 
apparatus and 

5 said management apparatus generates public 

key certificate data certifying the legitimacy of 
said public key data. 

146. A data providing system as set forth in claim 145, 
10 wherein said management apparatus allocates 

identification numbers to said data providing appa- 
ratus and said data distribution apparatus in accord- 
ance with said registration and transmits to said da- 
ta providing apparatus and said datadistribution ap- 
15 paratus public key data of a route certificate author- 
ity and public key data of the management appara- 
tus. 

147. A data providing system as set forth in claim 145, 
20 wherein each of said data providing apparatus and 

said data distribution apparatus further registers 
said secret key data in said management appara- 
tus. 

25 148.A data providing system as set forth in claim 143, 
wherein said data processing apparatus has stored 
in it in advance secret key data generated by said 
management apparatus and public key data corre- 
sponding to said secret key data. 

30 

149. A data providing system as set forth in claim 148, 
wherein said data processing apparatus has stored 
in it in advance public key certificate data certifying 
the legitimacy of said public key data generated by 

35 said management apparatus. 

150. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 

40 tus, wherein 

said data providing apparatus provides content 
data to said data distribution apparatus, 

said data distribution apparatus distributes said 
45 provided content data to said data processing 

apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
50 eration of a data providing service by said data 

providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
wherein 

the transmission of data among said data pro- 
55 viding apparatus, said data distribution appara- 

tus, said data processing apparatus, and said 
management apparatus is carried out by using 
mutual authentication using a public key en- 
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cryption method, signature creation, signature 
verification, and encryption of data by a com- 
mon key encryption method. 

151 .A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 

apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by itself by using its own 
secret key data when each of said data provid- 
ing apparatus, said data distribution apparatus, 
and said data processing apparatus supplies 
the data to another apparatus, and generates 
and manages public key certificate data of pub- 
lic key data corresponding to secret key data of 
said data providing apparatus, said data distri- 
bution apparatus, and said data processing ap- 
paratus when the legitimacy of the signature 
data corresponding to the data is verified by us- 
ing the public key data of the related other ap- 
paratus when receiving the supply of the relat- 
ed data from the other apparatus, wherein 
said data providing apparatus, said data distri- 
bution apparatus, and said data processing ap- 
paratus acquire said their own public key cer- 
tificate data from said management apparatus 
before communicating with the other apparatus 
and transmit the related acquired public key 
certificate data to said other apparatus. 

152.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 

apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 



paratus, and said data processing apparatus, 
generates the signature data indicating that the 
related data is generated by itself by using its 
own secret key data when each of said data 
5 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus 
supplies data to another apparatus, and gener- 
ates and manages public key certificate data of 
public key data corresponding to secret key da- 
ta of said data providing apparatus, said data 
distribution apparatus, and said data process- 
ing apparatus when the legitimacy of the signa- 
ture data corresponding to the data is verified 
by using the public key data of the related other 
apparatus when receiving the supply of the re- 
lated data from the other apparatus, wherein 
said data providing apparatus, said data distri- 
bution apparatus, and said data processing ap- 
paratus acquire their own public key certificate 
data from said management apparatus before 
communicating with the other apparatus and 
transmit the related acquired public key certifi- 
cate data to said other apparatus at said com- 
munication. 

153.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by itself by using its own 
secret key data when each of said data provid- 
ing apparatus, said data distribution apparatus, 
and said data processing apparatus supplies 
data to another apparatus, generates and man- 
ages public key certificate data of public key da- 
ta corresponding to secret key data of said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus 
when the legitimacy of the signature data cor- 
responding to the data is verified by using the 
public key data of the related other apparatus 
when receiving the supply of the related data 
from the other apparatus, and generates public 
key certificate revocation list for specifying pub- 
lic key certificate data to be invalidated among 
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said generated public key certificate data and 
tliereby to restrict said communication or said 
distribution using public key certificate data 
specified by said public key certificate revoca- 
tion list by said data providing apparatus, said 5 
data distribution apparatus, and said data 
processing apparatus. 

154. A data providing system as set forth in claim 153, 
wherein said management apparatus generates io 
public key certificate revocation list specifying pub- 
lic key certificate data corresponding to said data 
providing apparatus, said data distribution appara- 
tus, and said data processing apparatus used for 
illegal actions. 15 

155. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 20 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 25 

apparatus, 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, so 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
providing apparatus supplies data to another 
apparatus, generates and manages public key 35 
certificate data of public key data correspond- 
ing to secret key data of said data providing ap- 
paratus for when another apparatus verifies the 
legitimacy of the related signature data by using 
the public key data corresponding to said secret 40 
key data, generates public key certificate revo- 
cation list for specifying public key certificate 
data to be invalidated among said generated 
public key certificate data, distributes the relat- 
ed public key certificate revocation list to said ^5 
data processing apparatus, and 
said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
providing apparatus providing said distributed 
content data is invalid based on said public key 50 
certificate revocation list distributed from said 
management apparatus and controls the usage 
of said distributed content data based on the 
result of the related verification. 

55 

156. A data providing system as set forth in claim 155, 
wherein said management apparatus directly dis- 
tributes said public key certificate revocation list to 



said data processing apparatus. 

157. A data providing system as set forth in claim 155, 
wherein said management apparatus distributes 
said public key certificate revocation list to said data 
processing apparatus through said data distribution 
apparatus, by broadcasting, or by an on-demand 
system. 

158. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
providing apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data providing ap- 
paratus for when another apparatus verifies the 
legitimacy of the related signature data by using 
the public key data corresponding to said secret 
key data, generates public key certificate revo- 
cation list for specifying public key certificate 
data to be invalidated among said generated 
public key certificate data, distributes the relat- 
ed public key certificate revocation list to said 
data distribution apparatus, and 
said data distribution apparatus verifies wheth- 
er or not public key certificate data of said data 
providing apparatus providing said provided 
content data is invalid based on said public key 
certificate revocation list distributed from said 
management apparatus, and controls the dis- 
tribution of said provided content data to said 
data processing apparatus based on the result 
of the related verification. 

159. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
distribution apparatus supplies data to another 
apparatus, generates and manages public key 
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certificate data of public key data correspond- 
ing to secret key data of said data distribution 
apparatus for when anotlier apparatus verifies 
the legitimacy of the related signature data by 
using the public key data corresponding to said 5 
secret key data, generates public key certifi- 
cate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- io 
cation list to said data providing apparatus, 
said data providing apparatus verifies whether 
or not public key certificate data of the data dis- 
tribution apparatus of the destination of provi- 
sion of the content data is invalid and controls 15 
the provision of said content data to said data 
distribution apparatus based on the result of the 
related verification, 

said data distribution apparatus distributes said 
provided content data to said data processing 20 
apparatus, and 

said data processing apparatus uses said dis- 
tributed content data. 

160.A data providing system comprising a data provid- 25 

ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said management apparatus manages the op- 30 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 35 
by using its own secret key data when said data 
distribution apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 40 
apparatus for when another apparatus verifies 
the legitimacy of the related signature data by 
using the public key data corresponding to said 
secret key data, generates public key certifi- 
cate revocation list for specifying public key ^5 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 
cation list to said data distribution apparatus, 
said data providing apparatus provides content 50 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said distributed pub- 
lic key certificate revocation list to said data 
processing apparatus, and 55 
said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
distribution apparatus distributing said distrib- 



uted content data is invalid based on said dis- 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
data based on the result of the related verifica- 
tion. 

161 .A data providing system as set forth in claim 160, 
wherein said data distribution apparatus has a con- 
figuration which makes it difficult to tamper with said 

public key certificate revocation list distributed from 
said management apparatus. 

162. A data providing system as set forth in claim 160, 
wherein 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

163. A data providing system as set forth in claim 160, 
wherein said data distribution apparatus distributes 
said public key certificate revocation list to said data 
processing apparatus by broadcasting or by an on- 
demand system. 

164. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
distribution apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 
apparatus for when another apparatus verifies 
the legitimacy of the related signature data by 
using public key data corresponding to said se- 
cret key data, generates public key certificate 
revocation list for specifying public key certifi- 
cate data to be invalidated among said gener- 
ated public key certificate data, and distributes 
the related public key certificate revocation list 
to said data processing apparatus, 
said data providing apparatus provides content 
data to said data distribution apparatus. 
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said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 

5 es, generates signature data indicating tliat tine 

related data is generated by an apparatus itself 
by using its own secret key data when a data 
processing apparatus supplies data to another 
apparatus, generates and manages public key 

10 certificate data of public key data correspond- 

ing to secret key data of said data processing 
apparatuses for when another apparatus veri- 
fies the legitimacy of the related signature data 
by using the public key data corresponding to 

15 said secret key data, generates public key cer- 

tificate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 

20 cation list to said data providing apparatus, 

said data providing apparatus provides content 
data and said public key certificate revocation 
list to said data distribution apparatus, 
said data distribution apparatus distributes said 

25 provided content data and public key certificate 

revocation list to said data processing appara- 
tuses, and 

said data processing apparatuses verify wheth- 
er or not public key certificate data of said other 

30 data processing apparatuses are invalid based 

on the public key certificate revocation list dis- 
tributed from said data distribution apparatus 
and control the communication with other data 
processing apparatuses based on the result of 

35 the related verification. 



said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, and 

said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
distribution apparatus distributing said distrib- 
uted content data is invalid based on said dis- 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
data based on the result of the related verifica- 
tion. 

165. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
distribution apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 
apparatus for when another apparatus verifies 
the legitimacy of the related signature data by 
using public key data corresponding to said se- 
cret key data, generates public key certificate 
revocation list for specifying public key certifi- 
cate data to be invalidated among said gener- 
ated public key certificate data, and distributes 
the related public key certificate revocation list 
to said data providing apparatus, 
said data providing apparatus provides content 
data and said public key certificate revocation 
list to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and public key certificate 
revocation list to said data processing appara- 
tus, and 

said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
distribution apparatus distributing said distrib- 
uted content data is invalid based on said dis- 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
data based on the result of the related verifica- 
tion. 

166. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, a plural- 
ity of data processing apparatuses, and a manage- 
ment apparatus, wherein: 



167. A data providing system as set forth in claim 166, 
wherein said data distribution apparatus has a con- 
figuration which makes it difficult to tamper with said 

40 public key certificate revocation list distributed from 
said management apparatus. 

168. A data providing system as set forth in claim 166, 
wherein 

45 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
50 tribution key data to said data processing ap- 

paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

55 

169. A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, a plural- 
ity of data processing apparatuses, and a manage- 
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ment apparatus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates signature data indicating that the 
related data is generated by an apparatus itself 
by using its own secret key data when a data 
processing apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data processing 
apparatuses for when another apparatus veri- 
fies the legitimacy of the related signature data 
by using the public key data corresponding to 
said secret key data, generates public key cer- 
tificate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said distributed pub- 
lic key certificate revocation list to said data 
processing apparatuses, and 
said data processing apparatuses verify wheth- 
er or not public key certificate data of other data 
processing apparatuses are invalid based on 
the public key certificate revocation list distrib- 
uted from said data distribution apparatus, and 
control the communication with other data 
processing apparatuses based on the result of 
the related verification. 

170.A data providing system as set forth in claim 169, 
wherein said data distribution apparatus has a con- 
figuration which makes it difficult to tamper with said 
public key certificate revocation list distributed from 
said management apparatus. 

171 .A data providing system as set forth in claim 169, 
wherein 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

172.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, a plural- 



ity of data processing apparatuses, and a manage- 
ment apparatus, wherein: 

a data processing apparatus supplies registra- 
tion data, indicating an already registered data 
processing apparatus connected in a predeter- 
mined network to which is connected, to said 
management apparatus, refers to a revocation 
flag in registration data supplied from said man- 
agement apparatus and restricts communica- 
tion with another data processing apparatus 
having public key certificate data indicated as 
invalid by the revocation flag, 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates and manages public key certifi- 
cate data of public key data corresponding to 
secret key data for when a data processing ap- 
paratus generates signature data indicating le- 
gitimacy of data using its own secret key data 
when supplying data to another apparatus, 
generates public key certificate revocation list 
for specifying public key certificate data to be 
invalidated among said generated public key 
certificate data, stores the related public key 
certificate revocation list, generates new regis- 
tration data by setting said revocation flag in 
said registration data supplied from data 
processing apparatuses based on the related 
public key certificate revocation list, and distrib- 
utes the related generated registration data to 
said data processing apparatuses, 
said data providing apparatus provides content 
data to said data distribution apparatus, and 
said data distribution apparatus distributes said 
provided content data to said data processing 
apparatuses. 

173.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, a plural- 
ity of data processing apparatuses, and a manage- 
ment apparatus, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates and manages public key certifi- 
cate data of public key data corresponding to 
said secret key data for when a data processing 
apparatus generates signature data indicating 
the legitimacy of data by using its own secret 
key data when supplying the related data to an- 
other apparatus, generates public key certifi- 
cate revocation list for specifying public key 
certificate data to be invalidated among said 
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generated public key certificate data, and dis- 
tributes tine related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus provides content 
data and said public key certificate revocation 5 
list to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said public key cer- 
tificate revocation list to said data processing 
apparatuses, and io 
a data processing apparatus sets a revocation 
flag in registration data indicating an already 
registered data processing apparatus connect- 
ed in a predetermined network to which it is 
connected based on said distributed public key ^5 
certificate revocation list and restricts commu- 
nication with another data processing appara- 
tus having public key certificate data indicated 
as invalid by the related revocation flag. 

20 

174.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, a plural- 
ity of data processing apparatuses, and a manage- 
ment apparatus, wherein: 

25 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates and manages public key certifi- so 
cate data of public key data corresponding to 
secret key data for when a data processing ap- 
paratus generates signature data indicating the 
legitimacy of the data by using its own secret 
key data when supplying the related data to an- 35 
other apparatus, generates public key certifi- 
cate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 40 
cation list to said data distribution apparatus, 
said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said public key cer- ^5 



tificate revocation list to said data processing 

apparatuses, and 

a data processing apparatus sets a revocation 
flag in registration data indicating an already 
registered data processing apparatus connect- 
ed in a predetermined network to which it is 
connected based on said distributed public key 
certificate revocation list and restricts commu- 
nication with another data processing appara- 
tus having public key certificate data indicated 
as invalid by the related revocation flag. 

175.A data providing system comprising a data provid- 



ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said data providing apparatus provides content 
data and usage control policy data indicating 
the handling of the related content data to said 
data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus, 
said data processing apparatus has a first mod- 
ule for communicating with said data distribu- 
tion apparatus and a second module for deter- 
mining at least one of a purchase mode and us- 
age mode of said distributed content data 
based on said distributed usage control policy 
data and transmitting log data indicating the log 
of the related determined purchase mode and 
usage mode to said management apparatus, 
said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and 
has a settlement function for performing profit 
distribution processing for distributing the profit 
obtained accompanied with said data process- 
ing apparatus receiving distribution of said con- 
tent data and purchasing and using said con- 
tent data to related parties of said data provid- 
ing apparatus and said data distribution appa- 
ratus based on said log data received from said 
second module and performing settlement 
based on the result of the related profit distri- 
bution processing and a right management 
function for registering said usage control poli- 
cy data. 

176. A data providing system as set forth in claim 175, 
wherein said management apparatus has 

a first management apparatus having a settle- 
ment function and 

a second management apparatus having a 
right management function. 

177. A data providing system as set forth in claim 175, 
wherein said settlement is electronic settlement. 

178. A data providing system comprising a data provid- 
50 ing apparatus, data distribution apparatus, data 

processing apparatus, and management appara- 
tus, wherein: 

said data providing apparatus provides content 
55 data and usage control policy data indicating 

the handling of the related content data to said 
data distribution apparatus, 
said data distribution apparatus has a charging 
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said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and 
has a settlement claim data creation function 

5 for performing profit distribution processing for 

distributing the profit obtained accompanied 
with said data processing apparatus receiving 
said distribution of said content data and pur- 
chasing and using said content data to related 

10 parties of said data providing apparatus and 

said data distribution apparatus based on said 
log data received from said second module, 
creating settlement claim data used when per- 
forming settlement based on the result of the 

15 related profit distribution processing, and dis- 

tributing the same to said data providing appa- 
ratus and a right management function for reg- 
istering said usage control policy data. 



function for performing settlement processing 
by using settlement claim data distributed from 
said management apparatus and distributes 
said provided content data and said usage con- 
trol policy data to said data processing appara- 
tus, 

said data processing apparatus has a first mod- 
ule for communicating with said data distribu- 
tion apparatus and a second module for deter- 
mining at least one of a purchase mode and us- 
age mode of said distributed content data 
based on said distributed usage control policy 
data and transmitting log data indicating the log 
of the related determined purchase mode and 
usage mode to said management apparatus, 
said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and 
has a settlement claim data creation function 
for performing profit distribution processing for 
distributing the profit obtained accompanied 
with said data processing apparatus receiving 
distribution of said content data and purchasing 
and using said content data to related parties 
of said data providing apparatus and said data 
distribution apparatus based on said log data 
received from said second module, creating 
settlement claim data used when performing 
settlement based on the result of the related 
profit distribution processing, and supplying the 
same to said data distribution apparatus and a 
right management function for registering said 
usage control policy data. 

179.A data providing system comprising a data provid- 
ing apparatus, data distribution apparatus, data 
processing apparatus, and management appara- 
tus, wherein: 

said data providing apparatus has a charging 
function for performing settlement processing 
by using settlement claim data distributed from 
said management apparatus and provides con- 
tent data and usage control policy data indicat- 
ing the handling of the related content data to 
said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said usage control 
policy data to said data processing apparatus, 
said data processing apparatus has a first mod- 
ule for communicating with said data distribu- 
tion apparatus and a second module for deter- 
mining at least one of a purchase mode and us- 
age mode of said distributed content data 
based on said distributed usage control policy 
data and transmitting log data indicating the log 
of the related determined purchase mode and 
usage mode to said management apparatus. 



20 1 80.A data providing method using a data providing ap- 
paratus, data processing apparatus, and manage- 
ment apparatus comprising the steps of 

distributing content data and usage control pol- 
25 icy data indicating the handling of the related 

content data from said data providing appara- 
tus to said data processing apparatus, 
determining at least one of the purchase mode 
and the usage mode of said distributed content 
30 data based on said distributed usage control 

policy data and transmitting log data indicating 
the log of at least one of the related determined 
purchase mode and usage mode to said man- 
agement apparatus at said data processing ap- 
35 paratus, and 

performing profit distribution processing for dis- 
tributing the profit obtained accompanied with 
said purchase and said usage of said content 
data in said data processing apparatus to relat- 
40 ed parties of said data providing apparatus 

based on said received log data at said man- 
agement apparatus. 

181 .A data providing method using a data providing ap- 
45 paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus com- 
prising the steps of: 



providing content data and usage control policy 
50 data indicating the handling of the related con- 

tent data from said data providing apparatus to 
said data distribution apparatus, 
distributing said provided content data and said 
usage control policy data from said data distri- 
55 bution apparatus to said data processing appa- 

ratus, 

determining at least one of the purchase mode 
and the usage mode of said distributed content 



30 



35 



83 



165 



EP 1 120 715 A1 



166 



data based on said distributed usage control 
policy data and transmitting log data indicating 
the log of the related determined purchase 
mode and usage mode to said management 
apparatus at said data processing apparatus, 
and 

performing profit distribution processing for dis- 
tributing the profit obtained accompanied with 
said data processing apparatus receiving said 
distribution of said content data and purchasing 
and using said content data to related parties 
of said data providing apparatus and said data 
distribution apparatus based on said log data 
received from said second module at said man- 
agement apparatus. 

182. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus com- 
prising the steps of: 

providing content data and usage control policy 
data indicating the handling of the related con- 
tent data from said data providing apparatus to 
said data distribution apparatus, 
distributing said content data and said usage 
control policy data provided from said data dis- 
tribution apparatus to said data processing ap- 
paratus to said data processing apparatus, 
generating data distribution apparatus use pur- 
chase log data indicating the log of the pur- 
chase of said content data distributed from said 
data distribution apparatus and transmitting the 
same to said data distribution apparatus, deter- 
mining at least one of a purchase mode and us- 
age mode of said distributed content data 
based on said distributed usage control policy 
data, and transmitting management apparatus 
use log data indicating the log of the related de- 
termined purchase mode and usage mode to 
said management apparatus at said data 
processing apparatus, 

distributing the profit obtained accompanied 
with said purchase and said usage of said con- 
tent data in said data processing apparatus to 
related parties of said data providing apparatus 
and said data distribution apparatus based on 
said management apparatus use log data at 
said management apparatus, and 
performing charging processing concerning the 
distribution of said content data based on the 
data distribution apparatus use purchase log 
data received from said data processing appa- 
ratus at said data distribution apparatus. 

183. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 



vide content data, wherein 

said data providing apparatus provides content 
data to said data distribution apparatus, 

5 said data distribution apparatus distributes said 

provided content data to said data processing 
apparatus, and 

said data processing apparatus manages the 
operation of a data provision service by said da- 

10 ta providing apparatus, data distribution appa- 

ratus, and data processing apparatus, and 
said management apparatus manages opera- 
tion of a data providing service by said data pro- 
viding apparatus, said data distribution appara- 

15 tus, and said data processing apparatus, 

wherein 

the transmission of data among said data pro- 
viding apparatus, said data distribution appara- 
tus, said data processing apparatus, and said 
20 management apparatus is carried out by using 

mutual authentication using a public key en- 
cryption method, signature creation, signature 
verification, and encryption of data by a com- 
mon key encryption method. 



25 



184.A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein 



30 



said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 

35 apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
eration of a data providing service by said data 

40 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by itself by using its own 
secret key data when each of said data provid- 

45 ing apparatus, said data distribution apparatus, 

and said data processing apparatus supplies 
the data to another apparatus, and generates 
and manages public key certificate data of pub- 
lic key data corresponding to secret key data of 

50 said data providing apparatus, said data distri- 

bution apparatus, and said data processing ap- 
paratus when the legitimacy of the signature 
data corresponding to the data is verified by us- 
ing the public key data of the related other ap- 

55 paratus when receiving the supply of the relat- 

ed data from the other apparatus, wherein 
said data providing apparatus, said data distri- 
bution apparatus, and said data processing ap- 
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paratus acquire said their own public key cer- 
tificate data from said management apparatus 
before communicating witli the other apparatus 
and transmit the related acquired public key 
certificate data to said other apparatus. 

185. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates the signature data indicating that the 
related data is generated by itself by using its 
own secret key data when each of said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus 
supplies data to another apparatus, and gener- 
ates and manages public key certificate data of 
public key data corresponding to secret key da- 
ta of said data providing apparatus, said data 
distribution apparatus, and said data process- 
ing apparatus when the legitimacy of the signa- 
ture data corresponding to the data is verified 
by using the public key data of the related other 
apparatus when receiving the supply of the re- 
lated data from the other apparatus, wherein 
said data providing apparatus, said data distri- 
bution apparatus, and said data processing ap- 
paratus acquire their own public key certificate 
data from said management apparatus when 
communicating with the other apparatus and 
transmit the related acquired public key certifi- 
cate data to said other apparatus at said com- 
munication. 

1 86. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, 

said data processing apparatus uses said dis- 
tributed content data, and 



said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 

5 generates signature data indicating that the re- 

lated data is generated by itself by using its own 
secret key data when each of said data provid- 
ing apparatus, said data distribution apparatus, 
and said data processing apparatus supplies 

10 data to another apparatus, generates and man- 

ages public key certificate data of public key da- 
ta corresponding to secret key data of said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus 

15 when the legitimacy of the signature data cor- 

responding to the data is verified by using the 
public key data of the related other apparatus 
when receiving the supply of the related data 
from the other apparatus, and generates public 

20 key certificate revocation list for specifying pub- 

lic key certificate data to be invalidated among 
said generated public key certificate data and 
thereby to restrict said communication or said 
distribution using public key certificate data 

25 specified by said public key certificate revoca- 

tion list by said data providing apparatus, said 
data distribution apparatus, and said data 
processing apparatus. 

30 187.A data providing method as set forth in claim 186, 
wherein said management apparatus generates 
public key certificate revocation list specifying pub- 
lic key certificate data corresponding to said data 
providing apparatus, said data distribution appara- 

35 tus, and said data processing apparatus used for 
illegal actions. 

188.A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
40 ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said data providing apparatus provides content 
data to said data distribution apparatus, 
45 said data distribution apparatus distributes said 

provided content data to said data processing 
apparatus, 

said management apparatus manages the op- 
eration of a data providing service by said data 

50 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 

55 providing apparatus supplies data to another 

apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data providing ap- 
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paratus for when another apparatus verifies the 
legitimacy of the related signature data by using 
the public key data corresponding to said secret 
key data, generates public key certificate revo- 
cation list for specifying public key certificate 5 
data to be invalidated among said generated 
public key certificate data, distributes the relat- 
ed public key certificate revocation list to said 
data processing apparatus, and 
said data processing apparatus verifies wheth- io 
er or not public key certificate data of said data 
providing apparatus providing said distributed 
content data is invalid based on said public key 
certificate revocation list distributed from said 
management apparatus and controls the usage 15 
of said distributed content data based on the 
result of the related verification. 



189. A data providing method as set forth in claim 188, 
wherein said management apparatus directly dis- 20 
tributes said public key certificate revocation list to 
said data processing apparatus. 

190. A data providing method as set forth in claim 188, 
wherein said management apparatus distributes 25 
said public key certificate revocation list to said data 
processing apparatus through said data distribution 
apparatus, by broadcasting, or by an on-demand 
system. 

30 

191 .A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 



content data is invalid based on said public key 
certificate revocation list distributed from said 
management apparatus, and controls the dis- 
tribution of said provided content data to said 
data processing apparatus based on the result 
of the related verification. 

192. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
distribution apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 
apparatus for when another apparatus verifies 
the legitimacy of the related signature data by 
using the public key data corresponding to said 
secret key data, generates public key certifi- 
cate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus verifies whether 
or not public key certificate data of the data dis- 
tribution apparatus of the destination of provi- 
sion of the content data is invalid and controls 
the provision of said content data to said data 
distribution apparatus based on the result of the 
related verification, 

said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, and 

said data processing apparatus uses said dis- 
tributed content data. 

193. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said management apparatus manages the 
operation of a data providing service by said data 
providing apparatus, said data distribution appara- 
tus, and said data processing apparatus, generates 
signature data indicating that the related data is 
generated by an apparatus itself by using its own 
secret key data when said data distribution appara- 
tus supplies data to another apparatus, generates 
and manages public key certificate data of public 



said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating that the re- 40 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 
providing apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- ^5 
ing to secret key data of said data providing ap- 
paratus for when another apparatus verifies the 
legitimacy of the related signature data by using 
the public key data corresponding to said secret 
key data, generates public key certificate revo- 50 
cation list for specifying public key certificate 
data to be invalidated among said generated 
public key certificate data, distributes the relat- 
ed public key certificate revocation list to said 
data distribution apparatus, and 55 
said data distribution apparatus verifies wheth- 
er or not public key certificate data of said data 
providing apparatus providing said provided 



86 



171 



EP 1 120 715 A1 



172 



providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus, 
generates signature data indicating tinat tlie re- 
lated data is generated by an apparatus itself 
5 by using its own secret key data when said data 

distribution apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 
10 apparatus for when another apparatus verifies 

the legitimacy of the related signature data by 
using public key data corresponding to said se- 
cret key data, generates public key certificate 
revocation list for specifying public key certifi- 
es cate data to be invalidated among said gener- 
ated public key certificate data, and distributes 
the related public key certificate revocation list 
to said data processing apparatus, 
said data providing apparatus provides content 
20 data to said data distribution apparatus, 

said data distribution apparatus distributes said 
provided content data to said data processing 
apparatus, and 

said data processing apparatus verifies wheth- 
25 er or not public key certificate data of said data 

distribution apparatus distributing said distrib- 
uted content data is invalid based on said dis- 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
30 data based on the result of the related verifica- 

tion. 



key data corresponding to secret key data of said 
data distribution apparatus for when another appa- 
ratus verifies the legitimacy of the related signature 
data by using the public key data corresponding to 
said secret key data, generates public key certifi- 
cate revocation list for specifying public key certifi- 
cate data to be invalidated among said generated 
public key certificate data, and distributes the relat- 
ed public key certificate revocation list to said data 
distribution apparatus, 

said data providing apparatus provides content 
data to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said distributed pub- 
lic key certificate revocation list to said data 
processing apparatus, and 
said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
distribution apparatus distributing said distrib- 
uted content data is invalid based on said dis- 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
data based on the result of the related verifica- 
tion. 

194. A data providing method as set forth in claim 193, 
wherein said data distribution apparatus has a con- 
figuration which makes it difficult to tamper with said 
public key certificate revocation list distributed from 
said management apparatus. 

195. A data providing method as set forth in claim 193, 
wherein 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

196. A data providing method as set forth in claim 160, 
wherein said data distribution apparatus distributes 
said public key certificate revocation list to said data 
processing apparatus by broadcasting or by an on- 
demand system. 

197. A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 



198.A data providing method using a data providing ap- 
paratus, data distribution apparatus, data process- 
es ing apparatus, and management apparatus to pro- 
vide content data, wherein: 



said management apparatus manages the op- 
eration of a data providing service by said data 

40 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus, 
generates signature data indicating that the re- 
lated data is generated by an apparatus itself 
by using its own secret key data when said data 

45 distribution apparatus supplies data to another 

apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data distribution 
apparatus for when another apparatus verifies 

50 the legitimacy of the related signature data by 

using public key data corresponding to said se- 
cret key data, generates public key certificate 
revocation list for specifying public key certifi- 
cate data to be invalidated among said gener- 

55 ated public key certificate data, and distributes 

the related public key certificate revocation list 
to said data providing apparatus, 
said data providing apparatus provides content 
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data and said public key certificate revocation 
list to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and public key certificate 
revocation list to said data processing appara- 5 
tus, and 

said data processing apparatus verifies wheth- 
er or not public key certificate data of said data 
distribution apparatus distributing said distrib- 
uted content data is invalid based on said dis- io 
tributed public key certificate revocation list and 
controls the usage of said distributed content 
data based on the result of the related verifica- 
tion. 



199. A data providing method using a data providing ap- 
paratus, data distribution apparatus, a plurality of 
data processing apparatuses, and a management 
apparatus to provide content data, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates signature data indicating that the 
related data is generated by an apparatus itself 
by using its own secret key data when a data 
processing apparatus supplies data to another 
apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data processing 
apparatuses for when another apparatus veri- 
fies the legitimacy of the related signature data 
by using the public key data corresponding to 
said secret key data, generates public key cer- 
tificate revocation list for specifying public key 
certificate data to be invalidated among said 
generated public key certificate data, and dis- 
tributes the related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus provides content 
data and said public key certificate revocation 
list to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and public key certificate 
revocation list to said data processing appara- 
tuses, and 

said data processing apparatuses verify wheth- 
er or not public key certificate data of said other 
data processing apparatuses are invalid based 
on the public key certificate revocation list dis- 
tributed from said data distribution apparatus 
and control the communication with other data 
processing apparatuses based on the result of 
the related verification. 

200. A data providing method as set forth in claim 199, 
wherein said data distribution apparatus has a con- 



figuration which makes it difficult to tamper with said 
public key certificate revocation list distributed from 
said management apparatus. 

201. A data providing method as set forth in claim 199, 
wherein 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

202. A data providing method using a data providing ap- 
paratus, data distribution apparatus, a plurality of 

20 data processing apparatuses, and a management 
apparatus to provide content data, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
25 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus- 
es, generates signature data indicating that the 
related data is generated by an apparatus itself 
by using its own secret key data when a data 
30 processing apparatus supplies data to another 

apparatus, generates and manages public key 
certificate data of public key data correspond- 
ing to secret key data of said data processing 
apparatuses for when another apparatus veri- 
35 fies the legitimacy of the related signature data 

by using the public key data corresponding to 
said secret key data, generates public key cer- 
tificate revocation list for specifying public key 
certificate data to be invalidated among said 
40 generated public key certificate data, and dis- 

tributes the related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus provides content 
data to said data distribution apparatus, 
45 said data distribution apparatus distributes said 

provided content data and said distributed pub- 
lic key certificate revocation list to said data 
processing apparatuses, and 
said data processing apparatuses verify wheth- 
50 er or not public key certificate data of other data 

processing apparatuses are invalid based on 
the public key certificate revocation list distrib- 
uted from said data distribution apparatus, and 
control the communication with other data 
55 processing apparatuses based on the result of 

the related verification. 

203. A data providing method as set forth in claim 202, 
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wherein said data distribution apparatus lias a con- 
figuration whicli makes it difficult to tamper witli said 
public key certificate revocation list distributed from 
said management apparatus. 

204. A data providing method as set forth in claim 202, 
wherein 

said management apparatus encrypts said 
public key certificate revocation list using distri- 
bution key data and distributes it to said data 
distribution apparatus and distributes said dis- 
tribution key data to said data processing ap- 
paratus and 

said data processing apparatus decrypts said 
distributed public key certificate revocation list 
using said distribution key data. 

205. A data providing method using a data providing ap- 
paratus, data distribution apparatus, a plurality of 
data processing apparatuses, and a management 
apparatus to provide content data, wherein: 

a data processing apparatus supplies registra- 
tion data, indicating an already registered data 
processing apparatus connected in a predeter- 
mined network to which is connected, to said 
management apparatus, refers to a revocation 
flag in registration data supplied from said man- 
agement apparatus and restricts communica- 
tion with another data processing apparatus 
having public key certificate data indicated as 
invalid by the revocation flag, 
said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
es, generates and manages public key certifi- 
cate data of public key data corresponding to 
secret key data for when a data processing ap- 
paratus generates signature data indicating le- 
gitimacy of data using its own secret key data 
when supplying data to another apparatus, 
generates public key certificate revocation list 
for specifying public key certificate data to be 
invalidated among said generated public key 
certificate data, stores the related public key 
certificate revocation list, generates new regis- 
tration data by setting said revocation flag in 
said registration data supplied from data 
processing apparatuses based on the related 
public key certificate revocation list, and distrib- 
utes the related generated registration data to 
said data processing apparatuses, 
said data providing apparatus provides content 
data to said data distribution apparatus, and 
said data distribution apparatus distributes said 
provided content data to said data processing 



apparatuses. 

206. A data providing method using a data providing ap- 
paratus, data distribution apparatus, a plurality of 

5 data processing apparatuses, and a management 

apparatus to provide content data, wherein: 

said management apparatus manages the op- 
eration of a data providing service by said data 
10 providing apparatus, said data distribution ap- 

paratus, and said data processing apparatus- 
es, generates and manages public key certifi- 
cate data of public key data corresponding to 
said secret key data for when a data processing 
15 apparatus generates signature data indicating 

the legitimacy of data by using its own secret 
key data when supplying the related data to an- 
other apparatus, generates public key certifi- 
cate revocation list for specifying public key 
20 certificate data to be invalidated among said 

generated public key certificate data, and dis- 
tributes the related public key certificate revo- 
cation list to said data providing apparatus, 
said data providing apparatus provides content 
25 data and said public key certificate revocation 

list to said data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said public key cer- 
tificate revocation list to said data processing 
30 apparatuses, and 

a data processing apparatus sets a revocation 
flag in registration data indicating an already 
registered data processing apparatus connect- 
ed in a predetermined network to which it is 
35 connected based on said distributed public key 

certificate revocation list and restricts commu- 
nication with another data processing appara- 
tus having public key certificate data indicated 
as invalid by the related revocation flag. 

40 

207. A data providing method using a data providing ap- 
paratus, data distribution apparatus, a plurality of 
data processing apparatuses, and a management 
apparatus to provide content data, wherein: 

45 

said management apparatus manages the op- 
eration of a data providing service by said data 
providing apparatus, said data distribution ap- 
paratus, and said data processing apparatus- 
50 es, generates and manages public key certifi- 

cate data of public key data corresponding to 
secret key data for when a data processing ap- 
paratus generates signature data indicating the 
legitimacy of the data by using its own secret 
55 key data when supplying the related data to an- 

other apparatus, generates public key certifi- 
cate revocation list for specifying public key 
certificate data to be invalidated among said 
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generated public key certificate data, and dis- 
tributes tine related public key certificate revo- 
cation list to said data distribution apparatus, 
said data providing apparatus provides content 
data to said data distribution apparatus, 5 
said data distribution apparatus distributes said 
provided content data and said public key cer- 
tificate revocation list to said data processing 
apparatuses, and 

a data processing apparatus sets a revocation io 
flag in registration data indicating an already 
registered data processing apparatus connect- 
ed in a predetermined network to which it is 
connected based on said distributed public key 
certificate revocation list and restricts commu- 15 
nication with another data processing appara- 
tus having public key certificate data indicated 
as invalid by the related revocation flag. 

208.A data providing method using a data providing ap- 20 
paratus, data distribution apparatus, data process- 
ing apparatus, and management apparatus to pro- 
vide content data, wherein: 

said data providing apparatus provides content 25 
data and usage control policy data indicating 
the handling of the related content data to said 
data distribution apparatus, 
said data distribution apparatus distributes said 
provided content data and said usage control so 
policy data to said data processing apparatus, 
said data processing apparatus has a first mod- 
ule for communicating with said data distribu- 
tion apparatus and a second module for deter- 
mining at least one of a purchase mode and us- 35 
age mode of said distributed content data 
based on said distributed usage control policy 
data and transmitting log data indicating the log 
of the related determined purchase mode and 
usage mode to said management apparatus, 40 
said management apparatus manages the data 
providing apparatus, data distribution appara- 
tus, and data processing apparatus and 
has a settlement function for performing profit 
distribution processing for distributing the profit ^5 
obtained accompanied with said data process- 
ing apparatus receiving distribution of said con- 
tent data and purchasing and using said con- 
tent data to related parties of said data provid- 
ing apparatus and said data distribution appa- 50 
ratus based on said log data received from said 
second module and performing settlement 
based on the result of the related profit distri- 
bution processing and a right management 
function for registering said usage control poll- 55 
cy data. 
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